A Robert Dyas Data Breach Exposed Customers' Payment Card Details

It's interesting to think about the numerous different effects social distancing has on the things we do every day. For example, many people are stuck at home with nothing to do because of the coronavirus pandemic, and at the same time, most physical stores have been forced to shut down for the lockdown period. One of the many side effects of all this is that online shopping for DIY products is flourishing. Just ask the people running the website of Robert Dias, a UK-based chain selling gardening, houseware, and DIY supplies. In March, Robert Dyas announced that it's closing all its 93 stores because of the lockdown but pointed out that its online shop will continue working.

Apparently, people did indeed flock to Robert Dyas' e-commerce website. Read through some of the comments on the chain's Facebook page, and you'll see that plenty of customers are complaining about delayed and unfulfilled orders. On Monday, Robert Dyas used the social network to apologize for the problems, said that its employees have been overwhelmed by the surge of interest in the online shop, and promised that increased customer service and delivery capacity should result in a much better buying experience. What it didn't apologize for was the data breach that it suffered last month.

Card-skimming malware hit Robert Dyas in early-March

The DIY store chain has decided not to mention the incident publicly, but if its management team thought that it might go unnoticed, they were wrong. The Register heard about the attack and reported on it last week after a reader shared the data breach notification they had received. It turned out that it was quite serious.

On March 7, "an external third party" compromised Robert Dyas' website and injected malicious code on the checkout page. For the next three weeks, the malware scraped personal and financial information of Robert Dyas' customers until it was finally discovered and removed on March 30. The data breach notice pointed out that no passwords have been stolen, though, as The Register suggested, this probably isn't much of a relief for the affected customers.

The pilfered data includes names, addresses, payment card numbers, expiry dates, and CVV codes. In other words, the crooks have all the information they need to carry out unauthorized purchases, which is why affected customers should keep a close eye on their financial statements, and they might also want to think about contacting their banks and seeing what their options are.

A Robert Dyas spokesperson told The Register that the malware hit around 20 thousand customers. The company is in the process of informing potential victims as well as law enforcement organizations. What remains unknown is why it is still reluctant to publicly disclose the breach.

Online shops should be prepared for more of the same

Currently, there's no information on whether the malware used in this attack is the infamous Magecart. Only people with access to the evidence can say for sure, but the defining characteristics of the world's most dangerous e-skimmer are certainly there.

This shouldn't really be a surprise. Robert Dyas is far from the only retailer that urges users to shop online during the lockdown period, which is why the operators of Magecart and other similar malware families are likely to be especially active in the coming weeks and months. E-commerce websites should bear this in mind and should be better prepared for this type of attack.