Cyber Incident Victim: Procter & Gamble
Date:
May 2019
Location:
United States of America
Summary
Hackers deployed a MageCart e-skimmer on an online beauty store owned by Procter & Gamble, stealing payment card details including card numbers, expiration dates, cardholder names, and CVV codes. The malicious script operated stealthily for over five months by selectively targeting US-based shoppers while evading detection through geographic and technical filters, including blocking Linux users likely to hinder researcher analysis. Despite external notifications, the skimmer persisted until the site became inaccessible with a service error. The incident impacted a significant portion of the site's predominantly US visitor base, highlighting advanced evasion tactics in prolonged payment data theft.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 5, 2019, hackers implanted a MageCart e-skimmer on the First Aid Beauty website, an online beauty store owned by Procter & Gamble following its acquisition earlier that year. The malicious script remained active for over five months, continuously harvesting payment card data from customers until its discovery in late October 2019. Security researcher Willem de Groot of Sanguine Security identified the skimmer, which exhibited advanced targeting capabilities by activating exclusively for US-based shoppers using non-Linux operating systems—a tactic believed to evade detection by security researchers. The script collected cardholder names, credit card numbers, expiration dates, and CVV codes during checkout processes. Despite de Groot's attempts to notify First Aid Beauty's support team approximately one week prior to October 25, the company had not responded by the article's publication date, though the script was subsequently removed. The skimmer employed heavy obfuscation and encryption techniques, indicating sophisticated operational security by its operators. First Aid Beauty's website averaged approximately 100,000 monthly visitors during the six-month compromise period, with 80% originating from the United States—the primary target demographic for the attackers.
The prolonged undetected presence of the skimmer—unusually lasting over five months compared to typical discovery timelines of weeks—demonstrated exceptional stealth capabilities according to de Groot. By October 25, the First Aid Beauty website became inaccessible, displaying a 503 Service Unavailable error, though the exact cause of this outage wasn't specified. While the total number of compromised transactions remains undisclosed, the extended exposure period created significant risk for customers who purchased during the active skimming window. The incident occurred amidst broader FBI warnings about MageCart threats targeting small businesses and government agencies, though First Aid Beauty represented a subsidiary of a multinational corporation. Procter & Gamble's acquisition of the brand for $250 million earlier in 2019 occurred shortly before the skimmer's implantation, though no direct correlation between the acquisition and breach was established in available reports. The company ultimately removed the malicious script, but the delayed detection highlighted persistent challenges in identifying sophisticated e-commerce compromises.