Industry News

Kiddicare customers at risk after data spills from test server

British retailer Kiddicare, which has made a name for itself selling pushchairs, car seats and more, has suffered a data breach that has exposed the personal information of its customers.

Kiddicare has sent an email to affected customers saying that their names, delivery addresses, telephone numbers and email addresses have fallen into the hands of hackers – but that, thankfully, no payment details have been compromised as the company says it does not store or process credit card information.


An FAQ posted on Kiddicare’s website shares some further details.

Apparently, the first sign that there might be something to worry about was when a “small number” of customers reported receiving SMS text messages claiming to come from a subsidiary website of, inviting customers to take an online survey.

Online surveys have often been a tool used by scammers to earn revenue, either by tricking users into believing that they are going to receive a cash prize, or by signing participants up for expensive premium rate mobile phone services.

At this time, Kiddicare hunted for evidence that its systems may have been compromised, but found no evidence of hackers. It was only when they were alerted by a security company that data had been exposed that it linked the breach to a dataset used on a test site back in November 2015.

In other words, Kiddicare used real customer data on its test site.

In principal, there’s nothing really wrong with using real production data on a test environment *if* the test site is properly secured and does not make it easier for hackers to steal information than, say, on the normal, live servers. But it shouldn’t be forgotten that this was a test site, and things are expected to go wrong.

Unfortunately, time and time again it’s seen that companies can be sloppier about the security of their test sites than their official sites – opening opportunities for data thieves and hackers.

For that reason it’s usually much safer to generate fake data for testing purposes – just in case.

Kiddicare says that it has now deleted the test site – which is a good thing, of course.

What’s less impressive is that there is currently no mention of the data breach on the Kiddicare website’s home page or on its Twitter account. I’m not sure that’s offering the best service for customers who, through no fault of their own, might now be at risk – and may be keen to confirm that the warning email they received is genuine, and to read further advice in Kiddicare’s FAQ.


It’s almost as if Kiddicare would prefer to turn a blind eye to the potential seriousness of the breach.

One clear risk is that Kiddicare customers might be contacted by fraudsters pretending to be the baby specialist retailer, in an attempt to trick unsuspecting consumers into handing over payment information. Such attacks could be spammed out in the form of phishing emails or potentially take place over the telephone.

If the right social engineering were used by scammers it’s easy to imagine how a sleep-deprived parent of a young child might make an unwise decision and accidentally share their details with someone attempting to raid their bank accounts.

Kiddicare says that there is no evidence that customer passwords were compromised, but has taken the step of automatically resetting all passwords regardless.

Naturally, we recommend that internet users remember to use different passwords for different websites. So if you were using your old Kiddicare password anywhere else on the net, now would be a great time to change it.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.


Click here to post a comment
  • "In principal, there’s nothing really wrong with using real production data on a test environment *if* the test site is properly secured and does not make it easier for hackers to steal information than, say, on the normal, live servers."

    That is incorrect, but not for the reasons discussed in this article. Instead, it is incorrect because developers and testers tends to have access to all data on test systems, and increasing access to this data (even by "trusted" insiders) comes with increase chances of abuse or accidental exposure. Therefore, test systems should have test data only, not real customer data.

  • It is not surprising to hear that another business has suffered the fate of a data breach. Learning from this, it is imperative for businesses to understand that it is not enough to solely rely on Information Security teams to advise if a breach has occurred. These attacks are happening on a daily basis and businesses only usually find out once the data has been sold and their customers become the victim of targeted phishing attempts; unfortunately by this point, the damage is already done.

    Normal cyber defences are no longer enough. Companies must be proactive and test the security of the whole business – from the perimeter all the way through to employee awareness training. Put simply, taking a proactive stance in relation to Information Security is the only way that companies are going to stop these hacks from happening.