Stuck at home, UK lockdown DIY fans slammed with Robert Dyas data breach

The hardware store is the latest victim of card-skimmer malware.
Written by Charlie Osborne, Contributing Writer

UK hardware store Robert Dyas has revealed that card-skimming malware on the chain's e-commerce website has led to the theft of customer financial data. 

For 23 days, starting on March 7 and ending March 30, a card skimmer was operational on the Robert Dyas' website, according to an email sent to customers and obtained by The Register

Robert Dyas provides DIY and home improvement products, gardening tools, and electricals. Customers that ordered these types of goods through the company's website between these dates may have had their payment details stolen, including card numbers, expiry dates, and CVV security codes. In addition, customer names and addresses may have been taken. 

See also: SBA reveals potential data breach impacting 8,000 emergency business loan applicants

The implementation of card-skimming malware and payment portal hijacking are now commonly known as Magecart attacks. A website vulnerability is exploited and JavaScript skimming code is then appended to legitimate scripts found in the payment area of websites. 

Previous victims of card-skimmers include British Airways and Ticketmaster.

Robert Dyas became aware of the intrusion on March 30 and remove the malicious code. Up to 20,000 customers are embroiled in the security incident.

The damage has been heightened by increased sales of home improvement products caused by the UK's lockdown and stay at home orders. Specifically, the hardware store has been in the midst of a massive online sales boost ultimately leading to an imposition of an online minimum spend of £50 ($61). 

TechRepublic: The 13 best security certifications for newcomers and experienced professionals

"We are confident this issue has been fully resolved and the website has been safe for use since March 31," a Robert Dyas spokesperson told the publication. "We are working with the relevant authorities in response to the incident and have appointed a Payment Card Industry Forensic Investigator to carry out an independent investigation. We are deeply sorry for the concern and inconvenience this illegal activity has caused some of our customers."

Robert Dyas said that the firm's payment provider, who manages sales, has been notified, alongside banks and other associated financial services. 

The UK's Information Commissioner's Office (ICO) has been informed, and if the data protection watchdog finds fault with Robert Dyas security, a fine under GDPR could be imposed. 

CNET: Passwords for WHO, CDC, Gates Foundation employees reportedly spread online

Over in the United States, a potentially very serious data breach has occurred that may have impacted business owners seeking financial help from the Small Business Administration (SBA). The US agency said this week that a security issue in the disaster relief fund web portal may have led to the exposure of personally identifiable information (PII) belonging to roughly 8,000 applicants.

Innovative projects now online to combat coronavirus outbreak

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards