UK retailer Kiddicare has admitted suffering a data breach on a test server that compromised names, delivery addresses, telephone numbers and email addresses of up to 800,000 customers. The firm, which sells a wide range of parenting and family orientated products, has now sent a breach notification email to a total of 794,000 people it believes could have been impacted.
Kiddicare said it was first alerted to a possible breach after a "small number" of customers reported receiving 'phishing' attempts posing as an online survey. In a subsequent investigation, the firm was able to match compromised credentials to information it had loaded into a test server in November last year - however it remains unclear exactly when the breach took place.
Kiddicare maintains that no credit card data was lost in the leak and said the incident has been reported to the Information Commissioner's Office (ICO) which regulates – and punishes – breaches in the UK.
In a statement sent to the BBC, a Kiddicare spokesperson said: "We are very sorry for the potential stress and anxiety this incident may have caused our customers. We want to reassure everyone that the problem has been fixed, increased security measures have been implemented and we have a dedicated team here to help with any further concerns."
According to security researcher Graham Cluley, who wrote about the leak in a blog post, companies are getting "sloppier" about security on test servers and said these are increasingly open to exploit by hackers and cyber-thieves.
He said: "Kiddicare used real customer data on its test site. In principal, there's nothing really wrong with using real production data on a test environment if the test site is properly secured and does not make it easier for hackers to steal information than, say, on the normal, live servers. But it shouldn't be forgotten that this was a test site, and things are expected to go wrong."
Kiddicare has now reportedly deleted the test server from which the information was stolen – however Cluley said there is still a risk for customers and slammed the firm for not better advertising the security bungle to its users.
"There is currently no mention of the data breach on the Kiddicare website's home page or on its Twitter account," he said. "I'm not sure that's offering the best service for customers who, through no fault of their own, might now be at risk. It's almost as if Kiddicare would prefer to turn a blind eye to the potential seriousness of the breach."
Any users of the Kiddicare website are now urged to change their login credentials and passwords to stay safe from hackers or tech-savvy cybercriminals who may attempt further phishing attacks.
Have you been impacted by the breach? Let us know in the comments below or contact: firstname.lastname@example.org