Sweaty Betty Customers Are Warned About a 'Sophisticated Cybersecurity Incident'

Over the last few months, the name 'Magecart' has been used with increasing frequency by cybersecurity experts. The term was actually coined a while ago, and it has now come to be used as a collective name for the threat of malicious scripts that skim online shoppers' credit cards during the checkout process.

The curious thing about Magecart is that it's not an attack that is carried out according to a pre-determined list of steps, and it doesn't even involve the use of a specific set of tools. In some Magecart attacks, the hackers compromise the website itself, and sometimes, they use a vulnerable third-party library or plugin to run their code on the checkout page. The upshot is always the same, though – the credit card details of a large number of unsuspecting customers end up in the hands of cybercriminals. The attacks are often fairly difficult to detect, which makes them rather effective, and the multitude of Magecart-related incidents that we've seen over the last few months shows that hackers are very much aware of this. British fashion retailer Sweaty Betty is their latest target.

Sweaty Betty was hit by Magecart

On Tuesday, November 19, cybercriminals infiltrated Sweaty Betty's website and injected a credit-card-scraping script that collected customers' payment details, including card numbers, CVVs, and expiration dates. In addition to this, the malicious code also targeted names, emails, passwords, billing addresses, and telephone numbers. A spokesperson for the retailer told Essential Retail that customers placing their orders over the phone were also affected.

According to Sweaty Betty, only new payment cards were hit. People who used PayPal, Apple Pay, or a card that had already been saved in their accounts have nothing to worry about. The card skimming operation continued until November 27, when the retailer's IT team noticed the unusual code and removed it.

Sweaty Betty doesn't want to discuss the matter publicly

There's no shortage of people that are upset about the Magecart attack, which is not surprising at all. As some of the victims point out, the holiday season is coming, and this is not really the perfect time to be disputing unauthorized charges or dealing with blocked credit cards. People are not especially happy with the way Sweaty Betty is handling the breach, either, and unfortunately, we have to say that yet again, they have a few good reasons to be grumpy.

Sweaty Betty has so far failed to inform the public how many people were potentially hit by the Magecart attack. It has also said nothing about the way the crooks managed to get in and inject their code. Overall, the retailer has been decisively reluctant to share any details about the attack with the public. Sweaty Betty did send out email notifications to affected customers, but it didn't officially announce anything. Then, when worried clients used social media to try and find out more, they were told that they'd be given more information only via private messages.

This is not really doing Sweaty Betty any favors. People are understandably upset about the attack, and the incident is bound to have a negative effect on the retailer's reputation. A more transparent disclosure of what happened and why would have helped, at least to some extent, but Sweaty Betty's management has apparently decided that trying to keep things quiet is a better strategy. We're struggling to see how this will work out in their favor.