British building merchant Jewson has confirmed that it was hit by hackers. The firm reportedly alerted customers via a letter, informing them that their private and financial data may have been stolen by hackers. Jewson said that the breach occurred after hackers managed to compromise its website.
The breach is reportedly believed to have occurred in August but was only uncovered in November. This means that the hackers likely had the opportunity to conduct malicious activities on the firm's network for weeks while remaining undetected.
"We have notified 1,659 customers whose data may have been compromised and are offering free credit monitoring to those affected to help detect any potential misuse of data in the future," Jewson said in a statement. "Only the Jewson Direct website was affected by the security breach. Our main website (www.jewson.co.uk), our credit account customers and transactions across our branch network are not affected by the security breach and are operating normally.
"We have commissioned a forensic investigation into the breach using a specialist firm. We sincerely apologise for the distress and inconvenience this security breach has caused to those customers affected."
The Register reported that in Jewson's mail to customers, which the publication said that it had viewed, the firm said that customers' card data, including CVV numbers, card expiry dates and more "may" have been accessed by the hackers. Customers' names, email addresses, passwords, billing addresses and phone numbers may also have been stolen by the hackers.
"Whatever data protection measures Jewson has in place appear to have failed against this threat, allowing the cyber criminals' actions to go unnoticed for months," Stephen Moore, chief security strategist at Exabeam told IBTimes UK. "This is another example of the need for security teams to develop both a mindset and supporting methods for threat detection and response. Without the ability to identify threats to data and systems, security teams will struggle to stop adversaries before they cause service disruptions or data breaches."
The firm said that it has shut down the Jewson Direct website after uncovering the breach. At the time of writing, the Jewson site remains inaccessible. The firm's site will reportedly remain shut down till all security issues are resolved.
"At this stage we are aware that a foreign piece of code was encrypted into the Jewson Direct (formerly Jewson Tools Direct) website. The code has been identified and removed, and we are investigating the breach of security and any related potential loss of information/personal data," Jewson told The Register. "No card data is stored by Jewson, however, until the investigation has been completed, customers have been informed of a potential breach of card data as an advisory measure."
Jewson has also reportedly offered customers a complimentary 12-month membership to Experian ProtectMyID to help them keep track of their information and look out for any potential signs of identity theft.