Cyber Incident Victim: Claire's
Date:
Apr 2020
Location:
United States of America
Summary
A major jewelry and accessories retailer suffered a MageCart attack compromising its e-commerce platform, allowing threat actors to inject malicious code designed to steal customer payment card data during online checkout. The attackers created a spoofed domain to exfiltrate submitted credit card information from the primary website and its subsidiary's site, impacting transactions over a multi-week period while physical store payments remained unaffected. The company removed the malicious script, reinforced platform security, notified payment networks and law enforcement, and advised potentially affected customers to monitor their accounts for unauthorized charges.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In April 2020, threat actors compromised the e-commerce platforms of Claire’s, a major U.S.-based jewelry and accessories retailer, and its subsidiary Icing, in a MageCart-style attack designed to steal customer payment card data. The attackers registered the domain 'claires-assets.com' on March 21, 2020, one day after Claire’s temporarily closed all physical stores worldwide due to the COVID-19 pandemic. This domain remained inactive until April 25, when malicious JavaScript code was injected into the legitimate app.min.js file used by claires.com and icing.com. The compromised file was hosted on Salesforce servers, indicating attackers gained direct write access to the store’s server infrastructure rather than exploiting a supply chain vulnerability. The injected script activated during the checkout process, capturing customers’ payment card details and exfiltrating them via arguments embedded in an image request URL pointing to the attackers’ domain. Sansec, a cybersecurity firm, later confirmed the malicious activity persisted from at least April 30 through June 13, 2020, though Claire’s public statements did not specify the exact start date of data collection.
Claire’s security team detected the compromise on June 12, 2020 (a Friday), prompting immediate removal of the malicious code and initiation of an investigation. The company confirmed the unauthorized code was designed to intercept payment card data entered during online checkout but clarified that transactions conducted in physical retail stores were unaffected. Claire’s notified payment card networks, law enforcement agencies, and engaged in efforts to identify impacted transactions for customer notification. Sansec researchers disclosed that Claire’s acknowledged their independent report and eradicated the malicious script by June 13. The company advised affected customers—those who made online purchases between April 30 and June 13—to monitor their account statements for unauthorized charges and contact their card issuers, noting that cardholders are typically not liable for timely reported fraud under payment network rules. No specific figures regarding the number of compromised accounts or financial losses were disclosed in available reports.