Baby retailer Kiddicare has alerted nearly 800,000 customers that a recent data breach led to the exposure of their personal information. The UK-based company notified potentially affected customers via email, stating that the compromised information included names, delivery addresses, emails and phone numbers. Kiddicare stressed that the information accessed did not include credit or debit card information, as the company does not store or process any payment information. It appears that the retail chain first became aware of the issue after being alerted to a “possible phishing communication” by a “small number” of customers, read an FAQ posted to Kiddicare’s website.
“The communication was in the form of a text message and purported to be from a subsidiary website of Kiddicare.com and invited customers to take an online survey,” the company explained.
Kiddicare believes the stolen information came from a version of its website that had been set up for testing purposes in November 2015, which has since been deleted. “The personal information exposed has limited use and, therefore, the risk to you is low,” the retailer assured its customers. “However, any personal information can be used in phishing attacks and scams and so you should be extra vigilant and be alert to any suspicious communication,” it warned. “If you are unsure whether a communication is genuine, you should always contact the company the message is purporting to be from to confirm authenticity,” said the company. Kiddicare says it has since taken steps to prevent a similar incident in the future, such as implementing upgrades and improvements to its systems, as well as automatically resetting all customer account passwords despite no indication that they were stolen. Nonetheless, security blogger Graham Cluley says in a blog post the fact that the retailer used real customer data on a test site is concerning:
"In principal, there’s nothing really wrong with using real production data on a test environment *if* the test site is properly secured and does not make it easier for hackers to steal information than, say, on the normal, live servers. But it shouldn’t be forgotten that this was a test site, and things are expected to go wrong."
It is still unclear how many records may have been affected by the breach.
