Cyber Incident Victim: Well.ca
Date:
Dec 2013
Location:
Canada
Summary
A Canadian online retailer experienced a data breach compromising credit card information, including names, billing addresses, card numbers, expiry dates, and CVV codes, for several thousand first-time customers. Attackers exploited a vulnerability in a third-party service provider's system, intercepting payment details during initial transactions before the flaw was patched. Repeat customers were unaffected as their data resided with a separate payment processor. The company notified impacted individuals after confirmation from its credit card provider, though some criticized the delayed communication. Financial monitoring and case-by-case support were offered to victims.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Well.ca data breach occurred between December 22, 2013, and January 7, 2014, when an attacker exploited a vulnerability in the Canadian online retailer’s website to intercept credit card information from first-time customers during their initial purchase transactions. The compromised data included names, billing addresses, credit card numbers, expiration dates, and CVV security codes. Well.ca CEO Rebecca McKillican confirmed the breach impacted “a few thousand” customers but declined to specify the exact number. Only customers making their first purchase during the 17-day window were affected, as repeat customers’ payment data was stored with a third-party payment processor rather than Well.ca or its service providers. The vulnerability was closed on January 7 when the unnamed service provider implemented routine security changes to Well.ca’s account. The service provider notified Well.ca approximately two weeks before February 18, 2014, with final confirmation from Well.ca’s credit card provider arriving less than a week prior to the public disclosure.
Well.ca initiated customer notifications via email on February 18, 2014, prioritizing direct communication with affected individuals. The company advised customers to review credit card statements and obtain free credit reports from Equifax, offering case-by-case reviews for compromised accounts. Criticism emerged regarding notification timing, as customer Kerry Taylor noted Well.ca delayed using social media to broadly alert potential victims despite her early public disclosure via Twitter. Security expert Claudiu Popa identified systemic issues, asserting Well.ca transmitted unencrypted credit card data to processors, violating Payment Card Industry Data Security Standards (PCI DSS). Popa cited widespread non-compliance among Canadian retailers and inadequate security monitoring investments as contributing factors. Well.ca did not disclose whether encryption was implemented post-breach or specify technical details about the vulnerability beyond its exploitation occurring during real-time data entry by new customers.