Industry News

Hackers steal credit card details from Sweaty Betty customers

Hackers steal credit card details from Sweaty Betty customers

Women’s activewear retailer Sweaty Betty has emailed some of its customers warning that their payment card details may have been compromised by malicious code running on its website.

In an email sent to affected customers, the yoga pants and gym leggings store explained that hackers had gained access to the checkout area of its website, and planted malicious code which stole payment information as it was entered by users.

According to the firm, affected customers attempted to place orders online or over the phone “for limited intermittent periods of time from Tuesday 19 November at 6.24pm (GMT) to Wednesday 27 November 2019 at 2.52pm (GMT).”

As a consequence, stolen information such as customers’ names, passwords, billing addresses, delivery addresses, email addresses, telephone numbers, payment card numbers, CVV numbers and expiry dates were compromised.

In the email, Sweaty Betty warns that it is making customers aware of the incident because “card information could be vulnerable to misuse.”

It is unclear just how many customers have been affected by trhe breach, but according to the firm’s investigation, only customers who entered new card details as part of the payment process (rather than used credit card details already stored on the website) are affected.

The attack bears all the hallmarks of the Magecart attacks which have troubled scores of businesses, including the likes of Ticketmaster, British Airways, SHEIN, and the American Cancer Society.

In those attacks malicious scripts have silently harvested personal data and payment card information as customers bought goods and services online. In some cases the scripts have been planted directly on the websites by hackers who have compromised a company’s infrastructure, in others they made have poisoned third-party Javascript libraries used by a variety of websites.

Through this technique hundreds of millions of consumers have had their payment card details stolen by fraudsters, causing damage to the reputation of the companies affected and introducing obvious risks to customers.

What is perhaps most worrying about the Sweaty Betty security incident is the company’s reluctance to talk about it publicly.

Users who have asked the company via social media to confirm the security advisory is genuine have been told to contact Sweaty Betty’s customer support team via private channels.

At the time of writing, Sweaty Betty has not told its thousands of followers on Twitter or Facebook about the security breach. Nor have I been able to find any mention on Sweaty Betty’s website of the incident.

The impression one gets, sadly, is that Sweaty Betty is trying to keep news of the credit card data breach as quiet as possible in an attempt to avoid damage to the brand in the run-up to what would normally be a peak time of the year for sales.

However, experience has shown that being upfront and transparent about data breaches is usually a much better policy and can turn a difficult incident into an opportunity to build trust from your customers.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.