Online clothing retailer Patagonia is the latest retailer to fall victim of a website hack, with customers’ banking details and credit card information believed to have been the target.
Details of the hack emerged earlier this week, with theABCreporting hundreds of customers’ bank details were at risk.
The hack, which is believed to have occurred between August 4 and September 12, has potentially exposed the debit and credit card details of approximately 600 customers who bought something from the site between those dates.
The names, email addresses and account passwords of an additional 12,500 other customers are also believed to be at risk.
In a statement provided to SmartCompany this morning, a spokesperson for Patagonia said the retailer is “committed to providing a safe and secure e-commerce shopping experience” and “deeply apologises for any inconvenience or frustration that this incident may have caused”.
Patagonia has reported the incident to the Australian Federal Police as well as the Office of the Australian Information Commissioner and has indicated it will continue to co-operate with authorities investigating the breach.
The spokesperson says the incident was effectively contained on September 12 and has now been resolved.
“Upon becoming aware of the potential threat, Patagonia promptly engaged outside forensic experts to investigate the incident and to assist us in developing a better understanding of the situation,” the spokesperson says.
“We have already taken steps to strengthen our website security and are continuing to design and implement enhanced security measures in order to prevent this type of incident from recurring.”
The spokesperson says the registration data of customers may have been compromised.
“While we have found no evidence of unauthorised access to this website registration data, we provided notice out of an abundance of caution because we value our customers and wanted to keep them informed and aware of steps that may be taken to help prevent future misuse,” the spokesperson says.
Patagonia’s website has been disabled while the investigation continues and the company has offered eligible customers one year of “complimentary credit monitoring”.
AVG security advisor Michael McKinnon told SmartCompany this morning the breach is an “all too familiar story”.
“It’s clearly another example of a retailer with a website that perhaps is not as secure as it possibly could have been,” he says.
“It reaffirms the importance of business paying attention to security of its website as much as it can.”
McKinnon says the offer of one year complimentary credit monitoring is interesting.
“In order to offer complimentary credit card monitoring, it’s clear that there is some serious nature to it,” he says.
“I think it will be interesting to wait and see what data is actually breached so people can make a more informed choice about their privacy.”
McKinnon says Patagonia has done all the right things in getting on the front foot with customers about the breach.
“Every business owes it to their customers to be upfront and transparent at all times,” he says.
“Unfortunately they’ve had a compromise.”
McKinnon says Patagonia appears to have taken the worst-case scenario approach, which is that all of its data may have been compromised.
“That’s the right position to take, you’re assuming the worst.
McKinnon says the reality is it might have been only minor breach but businesses don’t always have a way of knowing how much data had been compromised.
“The frustrating part of any data breach of any company is often that you don’t know exactly what information has been accessed; you don’t know how it will surface or be used by attackers,” he says.
McKinnon says online retailers are usually targets for hackers because these businesses are collecting credit card information of its customers.
“They are prime targets for that kind of financial fraud,” he says.
“My recommendation for businesses collecting credit card information is seriously consider using a payment provider where credit card data is not sent to your web server but instead to the payment’s processor directly.”
“What it does is alleviate the business of the burden of having to secure their website and in particular secure credit card data, which is often the prime target.”
McKinnon says for small business it came back to the principal of only asking for information your business needs to operate.
“Don’t ask for information you don’t actually need,” he says.