Cyber Incident Victim: HIDS4U
Date:
Aug 2017
Location:
United Kingdom
Summary
A UK automotive technology retailer experienced a data breach resulting in unauthorized access to its customer database, exposing names, email addresses, and postal details of 4,179 individuals. Attackers leveraged the stolen information to send phishing emails impersonating the company, offering fraudulent loyalty rewards like free dash cams and redirecting recipients to a scam webpage hosted on a compromised Texas medical center's site. The organization notified affected customers of the threat, clarified that no financial data was stored, and advised vigilance against deceptive offers. While the firm asserted no ongoing breach and initiated an investigation into the incident's timeline, it faced criticism for insufficient public communication regarding the breach via its official channels.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In August 2017, UK automotive technology retailer HIDS4U experienced a data breach compromising customer information, which led to targeted phishing attacks against its client base. The incident first came to light on August 23 when customers began reporting suspicious emails on the PistonHeads motoring forum. These phishing messages impersonated HIDS4U and offered recipients a "free Dash Cam" as a loyalty reward, directing them to a fraudulent webpage hosted on a compromised Texas-based orthopaedic center's website. During investigation of this malicious site, security researchers discovered a publicly accessible CSV file containing the personal details of 4,179 HIDS4U customers, including full names, email addresses, and physical mailing addresses. Forum members promptly alerted HIDS4U, prompting the company to email warnings to its customer base about the phishing campaign. The company advised recipients to disregard any "Special Deal" or "Free Gift" email offers and confirmed that attackers had obtained historical customer data through an earlier breach of their systems.
HIDS4U initiated an internal investigation but could not immediately determine the exact timeframe of the initial breach. The company emphasized that payment card details remained secure because they had never stored such financial information. Customers who had already responded to the phishing emails and disclosed payment details were instructed to cancel their compromised cards and monitor for fraudulent transactions. While HIDS4U asserted it took security "very seriously" and found "no sign" of ongoing breaches, the company faced criticism for failing to publicly acknowledge the incident through its official website, Twitter account, or Facebook page. The absence of transparent communication channels raised concerns about the legitimacy of the warning emails among some customers. Independent observers noted uncertainty regarding whether HIDS4U had reported the breach to the UK Information Commissioner's Office, as no confirmation of regulatory notification was available at the time of public disclosure.