Online merchant fragrancedirect.co.uk has confirmed a miscreant broke into its systems and made off with a raft of customers’ personal data, including payment card details.
The e-retailer, based in Macclesfield, England, wrote to punters this week to inform them of the digital burglary and the subsequent data leakage.
“We recently discovered that some of our user data may have been compromised as a result of unauthorised access to our website by a malicious third party,” the email states.
The online store then launched an investigation and “quickly identified the root cause and have taken the necessary steps to address the issue”, the note continues.
It added that “Fragrance Direct Username and Password”, along with “Name, Address and Phone Number”, and “Credit and Debit Card Details” spilled into the wrong hands.
The obligatory advice to users of changing their password and contacting the bank or card issuer for further advice was then handed out. The email adds:
“We are working closely with the card companies and have retained a digital security firm to assist us with further investigations. We have also informed the relevant regulators and supervisory authorities.
“We are very sorry for any concern or inconvenience this may cause you.”
The Information Commissioner’s Office told us that “Fragrance Direct has reported an incident to us and we will assess the information provided”.
El Reg called Fragrance Direct and spoke to founder and owner Katie Jowle, who told us her company had contacted all people that had their data accessed by “malicious code” during the period in question.
We have asked for details of the code, when it was spotted, how long it had been on the site, and the measures taken to prevent a repeat incident. We will update this article when the business replies. We suspect it was a card-stealing MageCart infection.