Sign in / up

back to article Babycare e-tailer Kiddicare admits customer data breach

Babycare retailer Kiddicare has warned customers that personal data shared with the store has been stolen by hackers. The compromised data is restricted to name, delivery address, telephone number and email address, according to Kiddicare, which is keen to stress that customer payment details or credit/debit card information …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    FAIL

    Phew...

    "..The compromised data is restricted to name, delivery address, telephone number and email address, according to Kiddicare, "

    So glad there is no chance of any issues caused by this.

    It not like you could send and email with

    Dear Jane Doe, regarding the item you had delivered to 123 Acacia Avenue, NoSuchplace. We have found a issue with the item and need you to ugently review the information in the attached information.pdf.virus attachment.

    If you have any worries about this, please visit compromisedsite.ru. Please note in order for this site to work, you must ensure Adobe flash is installed from here:

    Yours

    Kiddiecare.

    Oh wait.

    10 0 Reply
  2. wolfetone Silver badge

    I do like Kiddicare's logic.

    They haven't stolen your payment information, but they may know where you live.

    0 1 Reply
    1. Nigel Redmon
      Reply Icon

      wolfetone - what's your point?

      0 1 Reply
      1. wolfetone Silver badge
        Reply Icon

        You can cancel a credit card, you can't exactly cancel your home address and move to another location as easily can you?

        0 0 Reply
  3. Alan J. Wylie

    yet more dumbing down

    "strongly encrypted passwords". I hope that they were strongly hashed (irreversible) rather then encrypted (reversible), but you need to use words that push-chair purchasers might recognise.

    1 2 Reply
    1. FrogsAndChips Silver badge
      Reply Icon

      Re: yet more dumbing down

      Because people who understand crypto don't have kids?

      4 3 Reply
      1. Bumpy Cat
        Reply Icon
        Unhappy

        Re: yet more dumbing down @FrogsAndChips

        I have kids and I'm currently starting in mute incomprehension at my El Gamal notes, so it's hard to say one way or the other.

        0 0 Reply
    2. Hardmilk
      Reply Icon
      Trollface

      Re: yet more dumbing down

      ...all your base64 are belong to us...

      2 0 Reply
    3. Nigel Redmon
      Reply Icon

      Re: yet more dumbing down

      Not everyone is as smart as you Alan - so i can imagine that the term "encryption" was favoured over "hashed" to make it clearer for the rest of us!

      1 0 Reply
    4. Roland6 Silver badge
      Reply Icon

      Re: yet more dumbing down

      but you need to use words that push-chair purchasers might recognise.

      I think, if you read the email Kiddicare sent out, the implication of what it is saying is clear: the people who didn't understand security and hence need talking to in kiddie words, are those responsible for the Kiddicare test site; as not only does it appear that the test website was insecure, but that it was left running long after it had serviced its purpose...

      I wonder how many dev's have been shown the door - from experience it is a very effective way of making dev's understand their responsibilities...

      0 1 Reply
  4. Hardmilk

    I messaged them myself a few weeks back too, as I received a dodgy sms from 'HMRevenue' asking me to click a link to process my tax refund. The site automatically filled in all the details, but had information specific to that which only Kiddicare had (I'd recently changed my name last year so registered just before November) so certain information which was automatically filled in to try and trick unsuspecting folk to thinking it was genuine was information I had only used on Kiddicare at the time. I did message them on Facebook regarding this, but they said (at the time) that there had been no security breaches & promptly deleted my post on their page.

    Alas, I feel better now knowing where my details were most likely obtained from by the scammers!

    I'm not angry or upset about this, these things happen! The size and complexity of websites now can mean any portion of it could be liable to some sort of exploit, or some backend deployment gone awry could also cause a brief moment where information could be accessed.

    0 0 Reply
    1. tiggity Silver badge
      Reply Icon

      Not angry? You should be livid, given their denial of security breaches & deletion of your post (a post which might have given a heads up to other kiddicare users).

      I agree that with so many exploits (& it's often a long time between first bad actor use in the wild before they are picked up by the "good guys") it is hard to defend against a breach.

      ..But that same likelihood of a breach means you need to be very, very careful before denying a breach. To flatly deny without exhaustive checks you are either over confident in your security, a fool or a liar or combinations thereof.

      The amount of various different sets of customer data floating around for sale, compared to the relatively few public reports of breaches implies either totally lax procedures in spotting breaches or a desire to deny / cover up breaches wherever possible is the default for many companies.

      7 2 Reply
    2. mythicalduck
      Reply Icon

      I received a dodgy sms from 'HMRevenue'

      Thanks for sharing that, because my wife had one of them recently, but I just told her to delete it without following the link, interesting to know where it came from

      0 0 Reply
  5. Triggerfish

    PCI Complaince

    Just trying to work out how it works here. Vaguely remember when looking at setting up an ecommerce site for someone looking at payment options, e.g be a gateway to something like Verisign or actually retain CC data. I seem to remember the CC retention data requirements to be pretty strict including things like pen tests.

    Now I have just looked on the PCI complaince site and looked at their different Merchant levels seems if you are low enough, under 1 million transactions you can self assess, or use a PCI approved ISP such as 1&1!.

    So whats going wrong? Should all people retaining CC data, have to comply with the strictest standards? Are the higher level approved PCI pen testers, and ISPs not good enough?

    I mean I know it happens and it's always an arms race but you see places that have this sort of data falling to outdated cracks. Why is this? Why are they being allowed to keep CC data?

    0 1 Reply
    1. Anonymous Coward
      Reply Icon
      FAIL

      Re: PCI Complaince

      As it says:

      "The information accessed does NOT include any credit/debit card information or any payment details whatsoever. Kiddicare does not store any of this information on its systems."

      Chnaces are they are using a 3rd party to process this. Can't be sure as I've always found them over-priced.

      Stu..

      1 0 Reply
      1. Triggerfish
        Reply Icon

        Re: PCI Complaince

        Ah yes my bad.

        0 0 Reply
  6. Anonymous Coward
    Anonymous Coward

    I sent El Reg the email as soon as I read it.

    There have been a few worrying scam emails doing the rounds with lots of personal information contained; and not just the fake HMR mentioned above; it is at least nice to know where it all came from, but shame on Kiddicare for taking so long to come clean.

    Anon, as I dont want my Kiddicare account and this one linked; luckily I havent used their website in over a year, and the CC used has expired anyway.

    0 0 Reply
  7. Anonymous Coward
    Anonymous Coward

    For heaven's sake

    Would someone think of the children.

    Well, for once it's appropriate..

    0 0 Reply
  8. Anonymous Coward
    FAIL

    Warm & Fuzzy

    Fear not, like other breaches a pair of warm fuzzy slippers will be applied to your feet (credit monitoring) and everything will be alright! Rinse--Repeat

    0 0 Reply
  9. Anonymous Coward
    Anonymous Coward

    Kiddicare? What about Precious Little One? http://www.preciouslittleone.com/

    I use a unique email per site for many sites. The preciouslittleone address which I only used in 2011 was first stolen by someone pretending to be Apple in May 2014, and then was used from January this year a total of 169 times. They know my name, address and phone number and can only have got them from PreciousLittleOne.

    I've not heard a peep from PreciousLittleOne, but clearly they were hacked (seeing as it's only the address I used for them which has had this).

    0 0 Reply
  10. energystar
    Stop

    Stop building infrastructure on crappy cement and rusty steel.

    And blaming Chinese people about everything!

    0 0 Reply
  11. Winkypop Silver badge
    Coat

    Good online security

    Obviously NOT child's play

    0 0 Reply
  12. adam payne

    "We want to make you aware that Kiddicare has recently experienced unauthorised access to some customer details. The information accessed does NOT include any credit/debit card information or any payment details whatsoever. Kiddicare does not store any of this information on its systems."

    I'm sure that stock announcement will make your customers feel a lot better.

    "Customers of the site were notified of the snafu by email, a copy of which was forwarded to The Register (pdf). The firm has published an FAQ about the breach on its website but this was not immediately promoted through either its front page or social media accounts, omissions criticised by security watcher Graham Cluley."

    They certainly wouldn't want to put off those potential new customers by declaring that they can't keep your details safe.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like