Cyber Incident Victim: Kiddicare
Date:
Nov 2015
Location:
United Kingdom
Summary
A babycare retailer experienced unauthorized access to customer data, including names, delivery addresses, telephone numbers, and email addresses, though payment details remained secure as they were not stored. The parent company addressed the breach's cause, enhanced security measures, and reset all customer passwords as a precaution despite strong encryption protecting them. Approximately 795,000 records were compromised, primarily impacting accounts created prior to late 2015. The incident was initially identified when the database appeared in underground forums, prompting the attacker to withdraw it after public disclosure. Customers received breach notifications via email, though security experts criticized the company for insufficient promotion of its FAQ through front-page or social media channels.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In May 2016, UK-based babycare retailer Kiddicare publicly disclosed a data breach involving unauthorized access to customer information. The incident came to light after evidence surfaced that Kiddicare’s database was being advertised on underground hacker forums approximately three weeks prior to the announcement. According to the company’s notification to affected customers, compromised data included names, delivery addresses, telephone numbers, and email addresses, but excluded payment details or credit/debit card information, which Kiddicare stated it did not store. The retailer’s parent company, Worldstores, confirmed the breach’s cause had been identified and addressed, with enhanced security measures implemented. While Kiddicare emphasized that passwords remained protected by strong encryption and showed no evidence of compromise, the company initiated a precautionary password reset for all accounts. Customers were advised to update their credentials during their next login using an automated facility. The exact timeline of the breach remained unclear at the time of disclosure, though subsequent updates revealed records up to 6 November 2015 were affected.
Worldstores’ Chief Technology Officer later confirmed approximately 795,000 customer records were accessed during the incident. Kiddicare notified affected customers via email, providing a breach FAQ on its website, though security analyst Graham Cluley criticized the company for not prominently featuring this information on its homepage or social media channels. The breach exposed customers to heightened risks of targeted phishing campaigns due to the stolen personal data. Following public disclosure of the incident, the hacker responsible withdrew the compromised database from sale on underground forums. Kiddicare issued apologies for any inconvenience or concern caused but assured customers they could continue shopping securely following the implemented security enhancements. The company did not initially disclose the breach’s scale when first contacted by media, providing confirmation of the affected record count only after further inquiry.