Kiddicare customer data stolen from 'test' website
Posted by Damien Biddulph on Wed 11th May 2016
Parenting retailer Kiddicare has suffered a data breach that exposed the names, addresses and telephone numbers of some of its customers.
The company said it had emailed 794,000 people who may have been affected by the incident.
It said the data had been taken from a version of its website set up for testing purposes.
Security researchers have warned that the details could be used by criminals to try to scam those affected.
The firm said it had reported itself to the UK's Information Commissioner.
UK-based Kiddicare is a baby and child specialist that trades online and from its flagship store in Peterborough.
The company said it became aware of the data breach after customers reported suspicious text messages that had not been sent by Kiddicare.
It was then contacted by a security company with further information and was able to link the breach to a "test" website it had been using in November 2015.
The company has not detailed the breach on its website
"Kiddicare used real customer data on its test site," said security researcher Graham Cluley in a blogpost.
"It shouldn't be forgotten that this was a test site and things are expected to go wrong."
The company stressed that payment details such as credit card information, which can easily be changed, had not been stolen.
However, customers' names, postal addresses, email addresses and telephone numbers had been exposed and that information could be used by scammers.
Mr Cluley criticised the company for neglecting to post details of the breach prominently on its website, although they have answered some questions on the subject.
"There is currently no mention of the data breach on the Kiddicare website's homepage or on its Twitter account," he wrote.
"I'm not sure that's offering the best service for customers who, through no fault of their own, might now be at risk.
"One clear risk is that Kiddicare customers might be contacted by fraudsters pretending to be the baby specialist retailer, in an attempt to trick unsuspecting consumers into handing over payment information."
The company apologised to customers in a statement sent to the BBC.
"We are very sorry for the potential stress and anxiety this incident may have caused our customers," it said.
"We want to reassure everyone that the problem has been fixed, increased security measures have been implemented and we have a dedicated team to here to help with any further concerns."