OXO International discloses data breach, customer data over two years impacted

A Magecart attack is suspected.

Cathay Pacific data breach hits 9.4 million people Passport details such as name, nationality, date of birth, and passport number were accessed, with the airline only reaching out to its frequent flyers and registered users.

OXO International has disclosed a data breach which the company says may have exposed customer information over the course of two years.

The New York-based manufacturer of homeware, office supplies, and kitchen utensils filed a data breach advisory with the California Attorney General's Office, and a letter drawn up for customers (.PDF) indicates that the data breach occurred between June 2017 and October 2018.

OXO says the security incident was confirmed on 17 December 2018 following forensic tests.

The incident involved "sophisticated criminal activity that may have exposed some of your personal information," according to the manufacturer, and customers who entered data on the oxo.com domain during these times may have had their information compromised.

Specifically, data entered between June 9, 2017 -- November 28, 2017, June 8, 2018 –- June 9, 2018, and July 20, 2018 -- October 16, 2018 has potentially been exposed.

While OXO says that "the attempt to compromise your payment information may have been ineffective," the business added that names, billing and shipping addresses, as well as credit card information was involved in the data breach.

OXO blamed the incident on "unauthorized code" which found its way on to the firm's website. Beyond the code being "malicious," OXO has not revealed any further details concerning how the malware landed on the oxo.com domain or who may be responsible.

See also: Feedify becomes latest victim of the Magecart malware campaign

"OXO values your business and deeply regrets that this incident occurred," the company says. "Upon discovering the unauthorized code, OXO immediately took actions to secure its site by working with recognized security consultants to conduct a thorough investigation of the incident and to determine additional measures designed to help prevent incidents of this kind in the future."

The third-party help was able to scrub the servers clean of the malware and is now working with OXO to find and resolve any other vulnerabilities which could be exploited for a repeat performance.

This kind of card-skimming attack which takes place as customers submit an order online has become the signature of the Magecart threat group. Based on Archive.org screenshots and VirusTotal scripts unearthed by Bleeping Computer, at least one of the attacks launched against OXO appears to be the work of the threat group.

TechRepublic: WordPress users beware: These 10 plugins are most vulnerable to attacks

Magecart has attacked countless e-retailers in the past. Ticketmaster, British Airways, Feedify, Kitronik, Infowars, and Newegg are some of the most high-profile victims of the threat groups under this umbrella, of which researchers estimate there are at least seven separate hacking groups.

The attacks tend to follow a common pattern -- gain access to the backend of a retail store, modify the source code to run JavaScript code which collects form data input by customers, and then whisk this information away to a remote server under the attacker's control.

CNET: Twitter messages to Russian cybersecurity firm helped NSA leak probe

This information could then potentially be sold off in bulk data dumps or used for the purposes of credit card fraud and identity theft.

It is not known how many customers have been affected by the OXO breach. However, OXO is offering impacted customers a free credit monitoring service for one year through Kroll, but this service must be activated no later than 28 March 2019. 

Previous and related coverage