Magecart claims fresh victim in electronics kit seller Kitronik

Kitronik says a recent data breach is the work of the same group which hacked British Airways and Newegg.
Written by Charlie Osborne, Contributing Writer

Kitronik says a recent data breach impacting online shoppers and involving the potential theft of their financial data is the work of Magecart.

The company says that Magecart's payment card-skimming malware was operating on the Kitronik website over the period of August to September, as reported by the Register.

Customers of the BBC micro:bit vendor and electronics kit seller may have been impacted by the breach.

Sensitive information potentially exposed and stolen by the threat actors includes names, email addresses, card numbers, expiry dates, CVV security codes, and postal addresses, the publication reports.

In an email to customers, Kitronik co-founder Geoff Hampson said that the firm believes "only details entered at the checkout stage that might have been taken and as a result, customers that had set up an account prior to August would not have had their address details stolen."

CNET: Senator's data privacy law draft could put CEOs in jail for lying

It is not known how many customers may have been impacted by the website's compromise.

However, the executive believes that credit facilities -- which generally handle payment card information -- are "not likely" to have been affected when it comes to schools and businesses.

"The companies that take card payments on our behalf monitor trends and it was the payment gateway provider that notified us of a higher than normal amount of fraud, which triggered our investigation," Hampson said.

Kitronik has pointed the finger at Magecart for the data breach. Magecart has been active since 2015 but has recently hit the spotlight due to a global payment-skimming campaign which has claimed a number of high-profile victims.

British Airways, Ticketmaster, Newegg, Shopper Approved, Feedify, and ABS-CBN are among Magecart's known victims.

TechRepublic: Why 31% of data breaches lead to employees getting fired

Magecart has been connected to attacks which directly inject JavaScript into vulnerable e-commerce platforms in order to embed malware, as well as the compromise of payment systems through third-party applications and widgets.

In October, a security researcher uncovered zero-day vulnerabilities in Magento extensions which are being actively abused by Magecart to spread payment-skimming malware.

See also: Broadcaster ABS-CBN customer data stolen, sent to Russian servers | British Airways: Cyberattack, data theft bigger than we first thought | Magecart claims another victim in Newegg merchant data theft |

Under the EU's new General Data Protection Regulation (GDPR), which came into effect on May 25, organizations must make every effort to inform regulators of a breach within 72 hours of the point of discovery.

The UK's Information Commissioner's Office (ICO) has confirmed that the data protection watchdog has been informed of the data breach.

An ICO spokesperson told ZDNet, "We are aware of an incident involving Kitronik and we will be making inquiries."

ZDNet has reached out to Kitronik with additional queries and will update if we hear back.

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Editorial standards