Robert Dyas – Theft of card holder data from Ecommerce site

The Register is reporting that between 7th March and 30th March 2020 the personal details of customers including name, address, card number, expiry date and security (CVV) code had been skimmed from their website.

This form of data skimming occurs when criminals plant malicious code into a website to steal customer information as they enter information on the checkout page.  Generally, hackers inject skimming code by either physically breaking into the website server or adding malicious code to third party vendor plugins.

This category of attacks is usually referred to as Magecart and other high-profile attacks using this include British Airways and Ticketmaster

Robert Dyas have published details of the Cyber security incident with FAQs for their customers and have contacted the customers who placed orders during this period and directly affected by email. Affected customers have been advised to contact their bank or credit card providers and follow their recommendations.

This comes at a time during lockdown when more people are making use of e-commerce sites and adds an additional stress to those customers affected.

Our advice for anyone running an e-commerce site is always to take a zero-trust approach to third party plugins, especially if they are collecting sensitive data, and to carry out full code reviews.

Read more in the Register at: Attention, lockdown DIY fans: UK hardware flinger Robert Dyas had credit card data and more skimmed from website.