James
March 25, 2020
•[ hack, misconfiguration, retail ]
In June 2020, 14 previously undisclosed data breaches appeared for sale including the Brazilian delivery service, "James". The breach occurred in March 2020 and exposed 1.5M unique email addresses, customer locations expressed in longitude and latitude and passwords stored as bcrypt hashes. The data was provided to HIBP by dehashed.com.
Takeaway
March 19, 2020
•[ hack, ddos, retail ]
The German food delivery service Takeaway is hit with a DDoS attack.
NutriBullet
March 18, 2020
•[ financial, malware, retail ]
NutriBullet is the victim of a Magrcart attack.
Boots
March 4, 2020
•[ hack, brute-force, retail ]
Boots suspends payments using loyalty points in shops and online after attempts to break into customers' accounts using stolen passwords.
J.Crew
March 3, 2020
•[ hack, retail ]
Clothing giant J.Crew says an unknown number of customers had their online accounts accessed "by an unauthorized party" in or around April 2019.
Vijay Sales
March 2, 2020
•[ leak, misconfiguration, retail ]
A threat actor posts a leaked Vijay Sales, a large electronics retail store chain in India, database on a popular dark web hacker forum. The threat actor claims the source was from an "exposed backup server" breached in February 2020.
Tesco
March 2, 2020
•[ hack, brute-force, retail ]
Tesco issues new cards to 600,000 Clubcard account holders after a credential stuffing attack.
Slickwraps
February 16, 2020
•[ leak, retail ]
In February 2020, the online store for consumer electronics wraps Slickwraps suffered a data breach. The incident resulted in the exposure of 858k unique email addresses across customer records and newsletter subscribers. Additional impacted data included names, physical addresses, phone numbers and purchase histories.
Charleston Lube Partners
February 14, 2020
•[ hack, malware, retail ]
Charleston Lube Partners reveals to have been hit by a PoS malware between February 14, 2019 and August 19, 2019.
Rutter's
February 13, 2020
•[ financial, malware, retail ]
Rutter's discloses that 71 locations were infected with a point-of-sale (POS) malware that was used by attackers to steal customers' credit card information.
Home Chef
February 10, 2020
•[ leak, retail ]
In early 2020, the food delivery service Home Chef suffered a data breach which was subsequently sold online. The breach exposed the personal information of almost 9 million customers including names, IP addresses, post codes, the last 4 digits of credit card numbers and passwords stored as bcrypt hashes. The data was provided to HIBP by dehashed.com.
100 UPS Store Locations
January 21, 2020
•[ leak, phishing, retail ]
Sensitive personal and financial information of UPS Store customers is exposed in a phishing incident affecting roughly 100 local store locations between September 29, 2019, and January 13, 2020.
Hanna Andersson
January 20, 2020
•[ hack, malware, retail ]
US children's apparel maker and online retailer Hanna Andersson discloses that its online purchasing platform was hacked and malicious code was deployed to steal customers' payment info for almost two months.
Pampling
January 4, 2020
•[ hack, misconfiguration, retail ]
In January 2020, the online clothing retailer Pampling suffered a data breach that exposed 383k unique customer email addresses. The data was later shared on a popular hacking forum and also included names, usernames and unsalted MD5 password hashes.
Tokopedia
January 1, 2020
•[ hack, retail ]
hacked
Wawa (company)
January 1, 2020
•[ hack, retail ]
hacked
Landry's
December 31, 2019
•[ financial, malware, retail ]
Restaurant chain Landry's discloses a security incident that involved the discovery of malware on the network of 63 restaurants. The malware was designed to collect payment card data from cards swiped at its bars and restaurants, and was active from March 13 to October 2019.
Islands restaurants
December 19, 2019
•[ financial, malware, retail ]
Islands restaurants announces a PoS malware incident.
