Kids' shoemaker Start-Rite trips over security again, spilling customer card info

Children's shoemaker Start-Rite is dealing with a nasty "security incident" involving customer payment card details, its second significant lapse during the past eight years.

That's according to a recent notification sent to customers, seen by The Register, which didn't clarify exactly what the nature of that trouble was, although we know it involved the website's payment page.

The intrusion occurred between October 14 and November 7, the notification reads, and the information understood to be potentially compromised includes customer names as displayed on their payment cards, the address to which the card is registered, the card number, its expiry date, and card verification value (CVV).

"We would advise you to contact your bank or credit card provider and ask them to stop the card you used to pay us and issue you with a replacement," Start-Rite's notification reads. "You may be able to do this immediately via your mobile banking or credit card app.

"We would also ask you to be vigilant and check your bank or credit card statements for any transactions you do not recognize on or after 14 October 2024. If you do see anything which appears strange, you should contact your bank or credit card provider, tell them that you did not authorize the transaction, and ask for a refund. You may wish to provide them with a copy of this email to support your request.

"Once again, we are sorry that this happened," the company email adds.

Start-Rite's notification also says that the UK's data protection watchdog, the Information Commissioner's Office (ICO), will be informed, "but we wanted to get in touch with you as soon as possible to enable you to protect yourself from potential fraud."

The Register asked the ICO whether was aware of the security issue and it said today it hadn't received a report from the company, but added that companies aren't required to report all breaches.

An ICO spokesperson said: "Organizations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people's rights and freedoms."

According to the ICO's guidance, organizations are only required to report breaches if it's likely those rights and freedoms will be put at risk. If not, no report is required, but the decision not to report must be justifiable.

The spokesperson added: "If an organization decides that a breach doesn't need to be reported they should keep their own record of it, and be able to explain why it wasn't reported if necessary.

"All organizations using personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to us."

Start-Rite confirmed the attack to The Register, however, it has yet to publicly acknowledge the event on its website, social media, or other online presences.

It said in a statement: "On 11 November, Start-Rite Shoes became aware that it had suffered a security incident via a third-party application code on www.startriteshoes.com. The breach potentially provided access to customer bank card information. The website is now secure and the malicious code and third-party app have been removed.

"The incident is being reported to the Information Commissioner's Office and Start-Rite will be co-operating fully with the police. Start-Rite has contacted all customers who might have had their details compromised and is continuing to ensure the security of its website."

The recent attack at the Norwich-based shoemaker appears to be more serious than the last one we covered back in 2016.

We reported that customer names, postal addresses, telephone numbers, and email addresses were obtained by nefarious types before its website was pulled offline to apply necessary security fixes.

According to a case study published by Retail Technology in 2018, two years after the initial data leak, the shoemaker claimed to have developed a significantly meatier security posture following a robust audit ordered by VISA.

However, it's rare to see the full spectrum of payment card information lifted from a website as has happpend with Start-Rite's latest wobble.

According to application security expert Sean Wright, the latest event opens up a catalog of questions about Start-Rite's security posture and how the sensitive nature of the compromised data could be gathered in one fell swoop.

"My first question, and many will be asking, is how this could happen?" he said. "There are compliance requirements such as PCI that would help ensure that appropriate measures are in place to prevent such a situation from happening. However, as we've seen in the past, this doesn't guarantee that a breach won't happen.

"In terms of how this data was actually stolen, until we know the full details, it can only be speculated as to the actual cause. I have to emphasise these are speculations, and by no means point to the actual cause.

"Firstly that data could have been stored, this would be the worst outcome. Next on the list of possibilities is stealing the data when it has been entered into the system. A likely cause of this is card skimming type tools that we've seen attackers use in the past in previous breaches. I suspect that this is the most likely cause. These tools largely inject malicious JavaScript into online payment systems to then steal and forward the entered card details to the attackers.

"Another important factor to note is that the theft of this data is a secondary failure, in that the attackers would have had to firstly breach the organization or system. That's another important question, but one we may possibly not get an answer to."

"If the compromise happened due to a third party as we are led to believe, this is another example of why it is so important to perform supplier due diligence and perform that on a regular basis. Ensuring the security of your suppliers is as important as your own security. After all, the security of your systems is only as strong as its weakest link. Ultimately, customers will likely still view this as your breach, regardless if this was the result of a third party or not."

A hat-tip to Reg reader Barry for letting us know about the incident. ®