Specialist child and baby retailer Kiddicare has reported a data breach of personal information.
Although the Peterborough-based company said that it was on a test website, it was using real customer data and it is thought the data breach may have taken place in November 2015. In a document it said that it was alerted to the breach by a phishing SMS message “purported to be from a subsidiary website of Kiddicare.com and invited customers to take an online survey.”
It said: “At this point, we immediately undertook preliminary reviews of our systems and found no evidence of any breach of our systems or database.
We have since been alerted by a security company with information indicating that data relating to Kiddicare may have been compromised.”
The company said that the Information Commissioner’s Office had been notified, that no card details had been exposed and only the customer’s name, delivery address, email and telephone number had been breached. Upon detecting the incident, the test website was taken down.
“Whilst there was no evidence that passwords were compromised, we have taken the precaution of automatically resetting all passwords, so when you shop next please use the auto update facility to reset,” it said.
Trent Telford, CEO at Covata, said: “Once again it’s the customers who are feeling the effects of a company’s carelessness. When websites are in the midst of development things are bound to go wrong, but this latest breach begs the questions why real customer data was used and, critically, why it wasn’t encrypted.
“It’s bad enough that personal details were compromised, but had a hacker been able to breach its main site and similar encryption precautions were missing, more sensitive data – such as payment details – could have been stolen; meaning Kiddicare would be facing a much bigger problem.
“Kiddicare assigned access management to the data, it would have been able to spot immediately that data was being viewed by unauthorized employees and siphoned out of the network; meaning it would not have taken multiple customers to report suspicious text messages before an investigation was launched. Businesses must stop burying their heads in the sand when it comes to data security, especially as the incoming EU GDPR will give the consumer more power to fight back if their information is compromised.”
Pat Clawson, CEO of the Blancco Technology Group, said: “First of all Kiddicare should be commended for reporting itself to the UK’s Information Commissioner and directly contacting the customers that may have been affected. The firm has acknowledged its mistake, taken responsibility and learned the lessons. This is in stark contrast to the children’s toy manufacturer Vtech, who in the same circumstances chose to put the burden of responsibility on its users.
“However, it is still deeply concerning that real customer data was left vulnerable on a Kiddicare ‘test' website it had been experimenting with over six months ago. If Kiddicare had a responsible data lifecycle plan in place, it would have permanently erased all of this data when the testing was complete. Data erasure is one small but very important piece of the data security puzzle when it comes to preventing a data breach, as many companies are discovering the serious consequences and costs to themselves and their customers.”