nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Gotcha, Tatcha! Thieves hide in servers to hoover up victims' bank card numbers mid-order

Beauty website suffers ugly IT security breach

By Shaun Nichols, 17 May 2017

Cosmetics peddler Tatcha is warning customers after hackers were able to compromise its website and harvest payment card details as orders poured in.

The US branch of the Japanese biz has been sending notices this month to customers whose card details were apparently stolen on January 8 of this year and discovered in April.

"During the early part of 2017, an unauthorized person may have gained access to information keyed into the Tatcha checkout process," Tatcha's notice reads.

"While Tatcha does not store credit card information on its systems, the intruder was potentially able to capture information as it was entered."

Tatcha said the card numbers were not taken from any of its databases, but rather appear to have been grabbed directly from the order page itself. While the company does not give full details, it seems the retail site was compromised, making the incident in many ways similar to the cash register malware breaches that have affected brick-and mortar retailers in recent years. This is opposed to a typical smash-and-grab raid on, say, a database of customer payment details.

Tatcha did not say how many of its customers were compromised in the attack, though it has filed a breach notification with the California Attorney General – meaning at least 500 residents of that state were impacted.

The lifted data includes card number, expiration date, and security codes. This means the attackers have everything they need to charge orders to the pilfered cards. The attackers were also able to lift account passwords and email addresses.

Anyone who receives the notice from Tatcha would be well advised to cancel their payment card immediately, and review all statements since January for unauthorized charges.

Tatcha says it will be providing customers whose cards were stolen with two years of free identity theft monitoring and protection from AllClear ID. Customers will need to contact AllClear ID and enroll in the service themselves. ®

PS: Edmodo, a classroom-learning tech outfit with 78 million registered users, has been hacked, spilling account email addresses and bcrypt-hashed passwords.

Sign up to our Newsletter

Get IT in your inbox daily

The Register - Independent news, views and opinion for the tech sector. Part of Situation Publishing