Robert Dyas

Robert Dyas is a retailer headquartered in the United Kingdom. The company operates an online sales platform where customers can purchase goods, as evidenced by the existence of a dedicated payment page for transaction processing. Its core business involves the retail sale of products to consumers, though the specific categories of merchandise are not detailed in the available incident report. The organization's market focus is the United Kingdom, consistent with its description as a UK retailer and its headquarters location. No explicit information is provided regarding the company's size, number of employees, annual revenue, or physical store footprint. The incident documentation does not specify any parent company, subsidiary relationships, or ownership structure for Robert Dyas. The most thoroughly documented aspect of the organization's activities concerns a significant cybersecurity event that affected its online payment systems.

On March 7, 2020, Robert Dyas suffered a security breach in which attackers injected malicious JavaScript code into its online payment page. This skimming script operated covertly for several weeks, harvesting the payment information entered by customers during the checkout process. The stolen data included credit and debit card details, along with associated personal information such as names and addresses. The incident did not involve the compromise of customer password data. Upon discovery, the company addressed the vulnerability that allowed the injection, thereby stopping the data exfiltration. Robert Dyas communicated that the incident was contained and assured its customers of the resolution. In compliance with data protection regulations, the organization reported the breach to the relevant United Kingdom data protection authority. This event underscores the critical importance of securing e-commerce payment interfaces against injection attacks to protect consumer financial data. The company's response involved technical remediation and customer notification as required following the identification of the malicious script.