A manufacturer of kitchen utensils, office supplies and housewares disclosed a data breach of customer information submitted to its e-commerce website.
OXO International Ltd confirmed on 17 December 2018 that digital attackers might have compromised the data submitted by customers to its e-commerce website. The manufacturer believes that those responsible for the security incident might have used unauthorized code to access customers’ names, billing and shipping addresses and credit card information.
An investigation launched by OXO revealed that the data breach actually occurred over several disconnected periods of unauthorized access. As quoted in a breach notification letter template submitted to the Attorney General of California:
We currently believe that information entered in the customer order form between June 9, 2017 – November 28, 2017, June 8, 2018 – June 9, 2018, July 20, 2018 – October 16, 2018 may have been compromised. While we believe the attempt to compromise your payment information may have been ineffective, we are notifying you out of an abundance of caution.
According to Bleeping Computer, at least one of the compromises suffered by OXO was a MageCart attack. In those types of intrusions, bad actors inject script into a target organization’s checkout page in order to steal personal and financial information submitted by customers.
Research has shown that a fifth of MageCart victims typically suffer subsequent attacks after the initial infection.
Following its investigation, OXO removed the unauthorized code, scanned its system for additional weaknesses, reissued access credentials and retained penetration testers to conduct more in-depth security assessments of its web resources.
The manufacturer explained in its breach letter template how it “deeply regrets that this incident occurred.” To help affected customers deal with the aftermath of this incident, OXO said that it’s retained Kroll to provide victims with one free year of identity monitoring. It also urged customers to consider placing a fraud alert or security freeze on their credit report and contacting the Federal Trade Commission (FTC).