A major UK childrens’ retailer has suffered a major data breach that led to hundreds of thousands of customer details being leaked online.
Kiddicare has emailed 794,000 people which may have been affected by the incident, with names, addresses and telephone numbers all feared to have been leaked, although no card details are thought to be at risk.
Following separate contact from unnamed security company with further information, the breach was then discovered to be linked to a “test” website Kiddicare used in November 2015 apparently with real customer data.
In an FAQ on its site, Kiddicare is advising customers to beware any unsolicited contact via email, post or telephone call/SMS.
“The personal information exposed has limited use and therefore the risk to you is low,” it said.
“However any personal information can be used in phishing attacks and scams and so you should be extra vigilant and be alert to any suspicious communication. If you are unsure whether a communication is genuine, you should always contact the company the message is purporting to be from to confirm authenticity.”
The company says it has now deleted the test site from its servers, made “significant upgrades and improvements” to its security, and also reported itself to the UK’s Information Commissioner Office (ICO).
An ICO spokesperson told TechWeekEurope, “We’re aware of an incident and are making enquiries.”
This latest breach goes to show how important it is to continually monitor for anomalous activity across the entire breadth of the network, security commentators have said.
“While it’s admirable that Kiddicare has gone straight to the UK’s Information Commissioner, it’s not good enough that the breach was discovered by customers whose information had not only been lost but already used with bad intentions,” said Justin Harvey, chief security officer at Fidelis Cybersecurity.
“Kiddicare and similar organisations need to switch from such a reactive approach and, instead, be proactively hunting for the malicious activity within its network that allows data to be exposed.”
What do you know about some of the world’s biggest data breaches? Take our quiz to find out!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
All the actions companies take (including retroactively) is good, but the real question is why aren't the police taking a more vigorous action against the actual data thieves. Would they be so complacent if it was physical items being stolen - Data can be worth more and pose a real physical risk to people, including children
It is not surprising to hear that another business has suffered the fate of a data breach. Learning from this, it is imperative for businesses to understand that it is not enough to solely rely on Information Security teams to advise if a breach has occurred. These attacks are happening on a daily basis and businesses only usually find out once the data has been sold and their customers become the victim of targeted phishing attempts; unfortunately by this point, the damage is already done.
Normal cyber defences are no longer enough. Companies must be proactive and test the security of the whole business – from the perimeter all the way through to employee awareness training. Put simply, taking a proactive stance in relation to Information Security is the only way that companies are going to stop these hacks from happening.
Tony Sweeney, Cyber Security Director for the KCS Group Europe