Cyber Incident Victim: Kitronik
Date:
Aug 2018
Location:
United Kingdom
Summary
Kitronik, an educational electronics vendor, experienced a data breach when Magecart malware infiltrated its Magento-based online store, operating undetected for approximately two months and compromising customer information entered during checkout. The malware captured names, email addresses, payment card numbers, expiration dates, CVV codes, and postal addresses, enabling potential fraud. The breach was identified after the payment gateway provider flagged unusually high fraud rates, prompting an investigation that revealed sophisticated malware altering the website database to bypass security monitoring. While pre-existing account holders' address details were likely unaffected, the incident triggered scrutiny from data protection authorities. The attack methodology mirrored high-profile Magecart incidents, exploiting vulnerabilities in third-party components to harvest sensitive data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Kitronik, an educational electronics vendor specializing in accessories for the BBC micro:bit, experienced a data breach between early August and mid-September 2018. The company’s data controller attributed the incident to Magecart malware, a strain previously linked to high-profile attacks on British Airways and Ticketmaster. Attackers injected malicious JavaScript into the checkout pages of Kitronik’s Magento-based e-commerce platform, enabling them to capture keystrokes during payment transactions. Compromised data included customers’ names, email addresses, payment card numbers, expiration dates, CVV codes, and postal addresses—sufficient information for fraudulent transactions. The malware operated undetected by modifying the website’s database directly, bypassing Kitronik’s code-change monitoring system. Only customers who entered details at checkout during the infection window were affected; those with pre-existing accounts established before August were not exposed to address theft. Schools and business customers using credit facilities were deemed unlikely to have been impacted. The breach was discovered after Kitronik’s payment gateway provider flagged an unusual surge in fraudulent transactions, prompting an internal investigation.
Kitronik notified affected customers via email in November 2018 but did not publicly disclose the number of compromised accounts or confirm whether it reported the breach to the UK Information Commissioner’s Office (ICO) within the 72-hour window mandated by GDPR. The ICO acknowledged awareness of the incident and stated it would investigate. Forensic analysis indicated the attackers exploited Magento platform vulnerabilities through third-party components, aligning with Magecart’s typical *modus operandi*. No remediation steps taken by Kitronik were detailed beyond the initial customer communication. The company emphasized the sophistication of the attack, which evaded its existing security controls by targeting backend database structures rather than frontend code. Consequences included direct financial risks to customers from card fraud and potential regulatory scrutiny under data protection laws. The incident underscored Magecart’s persistent threat to e-commerce platforms reliant on embedded third-party services.