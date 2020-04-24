UK hardware store Robert Dyas has revealed that the malicious software that highlights the card on the chain’s e-commerce website has led to the theft of customer financial data.

For 23 days, starting March 7 and ending March 30, a web skimmer was operational on Robert Dyas ’website, according to an email sent to customers and obtained by The Register.

Robert Dyas provides DIY and home improvement products, gardening tools and electrical equipment. Customers who have ordered this type of merchandise through the company’s website between these dates could have stolen their payment details, including card numbers, expiration dates and CVV security codes. In addition, customer names and addresses may be taken.

The implementation of malicious software that slows down the card and hijacking the payment portal is currently known as Magecart attacks. A vulnerability in a website is exploited and a JavaScript enhancement code is added to legitimate scripts in the payment area of ​​websites.

Previous victims of card skimmers include British Airways and Ticketmaster.

Robert Dyas became aware of the intrusion on March 30 and removed the malicious code. Up to 20,000 customers are involved in the security incident.

Damage has increased from increased sales of home improvement products caused by the UK blockade and permanence on domestic orders. Specifically, the hardware store has been in the midst of a huge increase in online sales that has resulted in the imposition of a minimum online spending of £ 50 ($ 61).

“We are confident that this issue has been completely resolved and that the website has been safe for use since March 31,” a spokesman for Robert Dyas said in the post. “We are working with the relevant authorities in response to the incident and have appointed a forensic investigator from the payment card industry to conduct an independent investigation. We deeply feel the concern and inconvenience this illegal activity has caused to some of our customers “.

Robert Dyas said the company’s payment provider, which manages sales, has been notified, along with banks and other associated financial services.

The Office of the Information Commissioner (ICO) of the United Kingdom has been informed and, if the data protection officer finds fault with the security of Robert Dyas, a fine could be imposed under GDPR.

In the United States, there has been a potentially very serious data breach that may have affected business owners seeking financial assistance from the Small Business Administration (SBA). The U.S. agency said this week that a security issue on the disaster assistance fund’s web portal could have led to the exposure of personally identifiable information (PII) belonging to approximately 8,000 applicants.

