Hackers used this software flaw to steal credit card details from thousands of online retailers

Hackers used flaw in popular e-commerce software.
Written by Danny Palmer, Senior Writer

Over 4,000 online retailers have been warned that their websites had been hacked by cybercriminals trying to steal customers' payment information and other personal information. 

In total, the National Cyber Security Centre (NCSC) has identified a total of 4,151 retailers that had been compromised by hackers attempting to exploit vulnerabilities on checkout pages to divert payments and steal details. They alerted the retailers to the breaches over the past 18 months. 

The majority of the online shops that cybercriminals exploited for payment-skimming attacks were compromised by known vulnerabilities in the e-commerce platform Magento. Most of those affected and alerted to the compromises and vulnerabilities are small and medium-sized businesses. 

See also: A winning strategy for cybersecurity (ZDNet special report).

The NCSC revealed the number of businesses it has notified about customer data being stolen ahead of Black Friday. It urges all retailers to ensure that their websites are secure ahead of the busiest online shopping period of the year to protect their business -- and their customers -- from cybercriminals. 

"We want small and medium-sized online retailers to know how to prevent their sites from being exploited by opportunistic cybercriminals over the peak shopping period," said Sarah Lyons, deputy director for economy and society at the NCSC. "Falling victim to cybercrime could leave you and your customers out of pocket and cause reputational damage." 

One of the key things that online retailers can do to help prevent payments and personal data from being stolen is to apply the available security patches that stop cybercriminals from being able to exploit known vulnerabilities in Magento and any other software they use. 

"It's important to keep websites as secure as possible, and I would urge all business owners to follow our guidance and make sure their software is up to date," said Lyons. 

Applying security patches in a timely manner is just one of the things recommended by the NCSC's and British Retail Consortium's Cyber Resliance Toolkit For Retail. This kit was released in October 2020, but the information on keeping websites secure from cyberattacks is still very much relevant today. 

"Skimming and other cybersecurity breaches are a threat to all retailers," said Graham Wynn, assistant director for consumer, competition and regulatory affairs at the British Retail Consortium.

"The British Retail Consortium strongly urges all retailers to follow the NCSC's advice and check their preparedness for any cyber issues that could arise during the busy end-of-year period."

See also: Ransomware: It's a 'golden era' for cybercriminals -- and it could get worse before it gets better.

The compromised shopping websites were identified as part of the NCSC's Active Cyber Defence programme, which has been monitoring for vulnerabilities that could impact online retailers since April 2020. 

The NCSC has also reiterated advice to consumers on how to stay safe when shopping online. The advice includes being selective about where you shop, only providing necessary information, ensuring the payment system used is protected and keeping online accounts secure. 

More on cybersecurity

Editorial standards