Hackers target Robert Dyas to steal customers' payment card details

The firm says it became aware of the breach on 30th March 2020

British hardware retailer Robert Dyas has been hit with a data breach that exposed users ' confidential details, including their names, addresses and credit/debit card numbers.

In an email sent to affected customers the company disclosed the security breach, stating that a card skimmer was present for several days in March 2020 on the payment processing page of its website.

"We are writing to inform you of a cyber security incident which occurred on robertdyas.co.uk during March 2020, and has unfortunately resulted in some Illegal and unauthorised access to customers personal data," the company said in the email to customers.

Robert Dyas became aware of the security incident on 30th March and immediately took steps to block the malicious software, which it believes was uploaded by "an external third party".

A preliminary investigation revealed that hackers were able to access some customer data on transactions made between 7^th March and 30^th March 2020. It enabled them to steal the long number, expiry date and CVV code of customers ' debit/credit cards, although no user password or details of product purchases made by customers were compromised in this incident, the company claimed.

A spokesman of the firm told The Register that they have informed law-enforcement agencies about the incident and have also appointed a Payment Card Industry Forensic Investigator to investigate the incident.

The company says it has also informed its Merchant Service Provider who oversees all credit or debit card payments done on its ecommerce website.

The Information Commissioner's Office in UK has also been informed about the security breach.

"We are deeply sorry for the concern and inconvenience this illegal activity has caused some of our customers," the spokesperson said.

The company is now advising its customers to contact their banks and credit card providers and to check their account statements for any suspicious activity.

During the coronavirus outbreak, hackers have increased attacks against ecommerce websites to steal sensitive payment details of customers.

Last month, NutriBullet, the fashionable maker of the eponymous blender, was attacked by a group classified as Magecart Group 8, who specifically targeted the payment checkout page of the website.

In October last year, researchers warned that up to 20,000 ecommerce websites were at risk of Magecart attacks following Volusion server compromise.

In 2018, a Magecart attack on British Airways also compromised credit card details of around 500,000 customers.