The gift card platform of international fashion retail chain C&A from Brazil has announced that suffers a cyberattack.
All the users who have purchased gift cards have now their information leaked on the Internet. Information such as ID numbers and email addresses, in addition to information including the amount loaded into the cards, order number and data of purchase.
The cybercriminal ( known as @joshua from group Fatal Error Crews) has published data from C&A customers who purchased gift cards online on the website Pastebin.
“Since you like to play with the data of others, we’ve decided to play around with your systems,” wrote hacker Joshua when he published the data.
The hacker said that the data of four million applications are exposed – among them, he states that “probably” there are data from two million different clients.
According to local technology news website Tecmundo, data of about 36,000 customers has been exposed.
While it didn’t confirm the scale of the data leak, C&A said in a statement that it detected a “cyberattack movement” in its gift card and exchange system last Thursday and that it immediately actioned its contingency plan, as well as legal proceedings to treat the issue.
The retailer added that it does not use personal data for any unauthorized purposes: “we reiterate our commitment to ethics and respect to the laws and that we work to offer the best possible experience to our customers, and that includes the online environment.“
Figure 1: Pastebin document.
As in other data breach, users need to be prepared for spear-phishing attacks that can be performed by cybercriminals. Phishing and social engineering are the main dangers that involve data leakage.
Figure 2: Sensitive data leaked from C&A.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.