The online shop of Claire’s, which also has physical shops on UK high streets, has taken action to remove a Magecart credit card skimmer from its website.
Reports suggest it appears to have been hacked back in March 2020, the criminals did this to take advantage of the closure of its physical stores due to COVID-19.
Over the next four weeks, the domain lay dormant, but at some point between 25th and 30th April, a sequence of malicious code was injected into the Claire’s online store, as well as that of its sister brand, Icing, to intercept customer information entered at checkout and redirected it to the fake server.
Sansec found that the Magecart skimmer was added to an otherwise legitimate app hosted on Claire’s own servers, so there was, in this case, no element of a supply chain attack, suggesting that the attackers had gained write access to the website’s code.
A Claire’s spokesperson said: “Claire’s cares about protecting its customers’ data. On Friday, we identified an issue related to our e-commerce platform and took immediate action to investigate and address it. Our investigation identified the unauthorised insertion of code to our e-commerce platform designed to obtain payment card data entered by customers during the checkout process.
We removed that code and have taken additional measures to reinforce the security of our platform. We are working diligently to determine the transactions that were involved so that we can notify those individuals. Cards used in our retail stores were not affected by this issue.
We have also notified the payment card networks and law enforcement. It is always advisable for cardholders to monitor their account statements for unauthorised charges. The payment card network rules generally provide that cardholders are not responsible for unauthorised charges that are timely reported.”
If you have shopped online with Claire’s online in the past few months, we recommend you check and keep a close eye on your bank statements.