3 min read

Kiddicare customers at risk after data spills from test server

Graham CLULEY

May 09, 2016

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Kiddicare customers at risk after data spills from test server

British retailer Kiddicare, which has made a name for itself selling pushchairs, car seats and more, has suffered a data breach that has exposed the personal information of its customers.

Kiddicare has sent an email to affected customers saying that their names, delivery addresses, telephone numbers and email addresses have fallen into the hands of hackers – but that, thankfully, no payment details have been compromised as the company says it does not store or process credit card information.

kiddicare-email

An FAQ posted on Kiddicare’s website shares some further details.

Apparently, the first sign that there might be something to worry about was when a “small number” of customers reported receiving SMS text messages claiming to come from a subsidiary website of Kiddicare.com, inviting customers to take an online survey.

Online surveys have often been a tool used by scammers to earn revenue, either by tricking users into believing that they are going to receive a cash prize, or by signing participants up for expensive premium rate mobile phone services.

At this time, Kiddicare hunted for evidence that its systems may have been compromised, but found no evidence of hackers. It was only when they were alerted by a security company that data had been exposed that it linked the breach to a dataset used on a test site back in November 2015.

In other words, Kiddicare used real customer data on its test site.

In principal, there’s nothing really wrong with using real production data on a test environment *if* the test site is properly secured and does not make it easier for hackers to steal information than, say, on the normal, live servers. But it shouldn’t be forgotten that this was a test site, and things are expected to go wrong.

Unfortunately, time and time again it’s seen that companies can be sloppier about the security of their test sites than their official sites – opening opportunities for data thieves and hackers.

For that reason it’s usually much safer to generate fake data for testing purposes – just in case.

Kiddicare says that it has now deleted the test site – which is a good thing, of course.

What’s less impressive is that there is currently no mention of the data breach on the Kiddicare website’s home page or on its Twitter account. I’m not sure that’s offering the best service for customers who, through no fault of their own, might now be at risk – and may be keen to confirm that the warning email they received is genuine, and to read further advice in Kiddicare’s FAQ.

kiddicare-tweet

It’s almost as if Kiddicare would prefer to turn a blind eye to the potential seriousness of the breach.

One clear risk is that Kiddicare customers might be contacted by fraudsters pretending to be the baby specialist retailer, in an attempt to trick unsuspecting consumers into handing over payment information. Such attacks could be spammed out in the form of phishing emails or potentially take place over the telephone.

If the right social engineering were used by scammers it’s easy to imagine how a sleep-deprived parent of a young child might make an unwise decision and accidentally share their details with someone attempting to raid their bank accounts.

Kiddicare says that there is no evidence that customer passwords were compromised, but has taken the step of automatically resetting all passwords regardless.

Naturally, we recommend that internet users remember to use different passwords for different websites. So if you were using your old Kiddicare password anywhere else on the net, now would be a great time to change it.

tags


Author



Right now

Top posts

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Prison for ex-eBay staff who aggressively cyberstalked company's critics with Craigslist sex party ads and funeral wreaths Prison for ex-eBay staff who aggressively cyberstalked company's critics with Craigslist sex party ads and funeral wreaths
Graham CLULEY

September 30, 2022

2 min read
Honolulu Man Sabotaged Former Employer’s Network and Business Using Still-Active Credentials Honolulu Man Sabotaged Former Employer’s Network and Business Using Still-Active Credentials
Silviu STAHIE

September 30, 2022

1 min read
North Korean Gang Uses Compromised Open Source Software to Distribute Malware, Researchers Find North Korean Gang Uses Compromised Open Source Software to Distribute Malware, Researchers Find
Silviu STAHIE

September 30, 2022

1 min read