Cybercriminals steal card details from 4,000 ecommerce firms – NCSC

Cybercriminals have stolen customer card details from over 4,000 UK online retailers by exploiting a vulnerability in popular ecommerce software Magento, the UK’s National Cyber Security Centre (NCSC) has warned.

The NCSC – a division of GCHQ – is urging ecommerce businesses to update Magento, an open source ecommerce platform that was acquired by Adobe in 2018 for $1.68bn.

Failing to update Magento and other ecommerce software could lead to an attack resulting in “financial and reputational damage”, the NCSC said.

Card skimming sees criminals intercept and make copies of debit or credit cards while they are being used at an ATM or at checkout online.

In total, the NCSC said it notified 4,151 ecommerce companies that they were running a vulnerable version of the software up until the end of September.

The card skimming warning comes in the build up to the annual Black Friday shopping event, which is regularly targeted by cybercriminals.

“We want small and medium-sized online retailers to know how to prevent their sites being exploited by opportunistic cyber criminals over the peak shopping period,” said Sarah Lyons, NCSC deputy director for economy and society. “Falling victim to cyber crime could leave you and your customers out of pocket and cause reputational damage.”

In October 2020 British Airways was fined £20m by the Information Commissioner’s Office (ICO) for failing to protect 400,000 customers from a card skimming breach two years earlier. That fine was heavily reduced from the £183m initially proposed by the data regulator.

Infamous hacking group Magecart had successfully injected code to the airline’s website to steal personal and financial data.

Cybersecurity experts welcomed the NCSC’s card-skimming alert but said retailers should take extra precautions to protect both their business and consumers.

Click here to read the full article.