Cyber Incident Victim: Robert Dyas

Between March 7 and March 30, 2020, attackers compromised the Robert Dyas e-commerce platform by injecting malicious JavaScript code into the payment page. This code operated as a digital skimming mechanism, capturing customers' payment card details, names, and addresses as they entered information during online transactions. The attack specifically targeted customers purchasing goods through the UK-based DIY, electricals, and houseware retailer's website during the COVID-19 lockdown period when online shopping activity increased. The malicious script transmitted harvested data to unauthorized third parties without altering the visible checkout process, leaving customers unaware of the compromise during transactions. Robert Dyas confirmed that password data remained unaffected by the breach. The company discovered the intrusion after the 23-day active period and subsequently removed the malicious code from their systems.

Robert Dyas publicly disclosed the incident via customer email notifications and published an FAQ on their website, though they did not prominently link this resource from their homepage. The company stated they resolved the vulnerability and expressed confidence in the security of their restored systems. Affected customers were advised to monitor their financial accounts for unauthorized transactions. The retailer reported the breach to the UK Information Commissioner's Office (ICO), initiating a regulatory review process. The stolen dataset contained sufficient information to enable financial fraud, creating potential risks for impacted individuals. No details regarding the attack's origin, specific infiltration method, or number of affected customers were disclosed publicly. The incident represented a Magecart-style attack leveraging client-side script injection to harvest payment data from vulnerable e-commerce platforms.