Kiddicare customers at risk after data spills from test server

British retailer Kiddicare, which has made a name for itself selling pushchairs, car seats and more, has suffered a data breach that has exposed the personal information of its customers.

Kiddicare has sent an email to affected customers saying that their names, delivery addresses, telephone numbers and email addresses have fallen into the hands of hackers – but that, thankfully, no payment details have been compromised as the company says it does not store or process credit card information.

An FAQ posted on Kiddicare’s website shares some further details.

Apparently, the first sign that there might be something to worry about was when a “small number” of customers reported receiving SMS text messages claiming to come from a subsidiary website of Kiddicare.com, inviting customers to take an online survey.

Online surveys have often been a tool used by scammers to earn revenue, either by tricking users into believing that they are going to receive a cash prize, or by signing participants up for expensive premium rate mobile phone services.

At this time, Kiddicare hunted for evidence that its systems may have been compromised, but found no evidence of hackers. It was only when they were alerted by a security company that data had been exposed that it linked the breach to a dataset used on a test site back in November 2015.

In other words, Kiddicare used real customer data on its test site.

In principal, there’s nothing really wrong with using real production data on a test environment *if* the test site is properly secured and does not make it easier for hackers to steal information than, say, on the normal, live servers. But it shouldn’t be forgotten that this was a test site, and things are expected to go wrong.

Unfortunately, time and time again it’s seen that companies can be sloppier about the security of their test sites than their official sites – opening opportunities for data thieves and hackers.

For that reason it’s usually much safer to generate fake data for testing purposes – just in case.

Kiddicare says that it has now deleted the test site – which is a good thing, of course.

What’s less impressive is that there is currently no mention of the data breach on the Kiddicare website’s home page or on its Twitter account. I’m not sure that’s offering the best service for customers who, through no fault of their own, might now be at risk – and may be keen to confirm that the warning email they received is genuine, and to read further advice in Kiddicare’s FAQ.

It’s almost as if Kiddicare would prefer to turn a blind eye to the potential seriousness of the breach.

One clear risk is that Kiddicare customers might be contacted by fraudsters pretending to be the baby specialist retailer, in an attempt to trick unsuspecting consumers into handing over payment information. Such attacks could be spammed out in the form of phishing emails or potentially take place over the telephone.

If the right social engineering were used by scammers it’s easy to imagine how a sleep-deprived parent of a young child might make an unwise decision and accidentally share their details with someone attempting to raid their bank accounts.

Kiddicare says that there is no evidence that customer passwords were compromised, but has taken the step of automatically resetting all passwords regardless.

Naturally, we recommend that internet users remember to use different passwords for different websites. So if you were using your old Kiddicare password anywhere else on the net, now would be a great time to change it.