Indoor gardening system manufacturer AeroGrow has disclosed a data breach that involved customers’ payment card information.
In a sample data breach notice obtained by the Office of Attorney General for the State of California, AeroGrow senior vice president of finance and accounting Grey H. Gibbs explains that the company learned of the security incident on 4 March 2019. Specifically, they found out that a bad actor had leveraged malicious code to obtain payment card information entered by customers between 29 October 2018 and 4 March 2019 into the eCommerce vendor’s payment page. This data might have included customers’ payment card numbers, expiration dates and CCV/CVV numbers but none of their personal information.
Gibbs notes that AeroGrow removed the malicious code and took steps to secure its website after the company learned of the data breach. As quoted in the notice:
We have informed law enforcement and will cooperate with their investigation. We have not delayed notifying you at the request of law enforcement. In addition, we have taken the appropriate steps to limit the likelihood of a recurrence, and we have engaged a third-party expert to conduct a thorough review of our security protocols.
Additionally, Gibbs said that the company would be offering one year of identity protection services to all consumers affected by the data breach.
This isn’t the first time that AeroGrow has suffered a security incident. As revealed in a letter received by the New Hampshire Department of Justice, the garden system manufacturer discovered an incident in May 2015 where an unauthorized actor gained access to the company’s website. In so doing, they might have obtained customers’ names, addresses, addresses and payment card data.
AeroGrow’s data breach notice doesn’t mention who was responsible for this latest security incident. That being said, the details are reminiscent of a Magecart attack. Earlier in 2019, news emerged about how this digital crime gang had compromised hundreds of e-commerce websites via a malicious script that silently harvested personal data and payment card information as customers bought goods and services online. More than that, Magecart has a documented history of reinfecting the same websites time and time again.
To help protect against Magecart attacks, organizations should focus on improving their supply chain security. Here’s a great resource to help organizations get started.