Cybercriminals steal card details from 4,000 ecommerce firms – NCSC

card skimming ncsc

Cybercriminals have stolen customer card details from over 4,000 UK online retailers by exploiting a vulnerability in popular ecommerce software Magento, the UK’s National Cyber Security Centre (NCSC) has warned.

The NCSC – a division of GCHQ – is urging ecommerce businesses to update Magento, an open source ecommerce platform that was acquired by Adobe in 2018 for $1.68bn.

Failing to update Magento and other ecommerce software could lead to an attack resulting in “financial and reputational damage”, the NCSC said.

Card skimming sees criminals intercept and make copies of debit or credit cards while they are being used at an ATM or at checkout online.

In total, the NCSC said it notified 4,151 ecommerce companies that they were running a vulnerable version of the software up until the end of September.

The card skimming warning comes in the build up to the annual Black Friday shopping event, which is regularly targeted by cybercriminals.

“We want small and medium-sized online retailers to know how to prevent their sites being exploited by opportunistic cyber criminals over the peak shopping period,” said Sarah Lyons, NCSC deputy director for economy and society. “Falling victim to cyber crime could leave you and your customers out of pocket and cause reputational damage.”

In October 2020 British Airways was fined £20m by the Information Commissioner’s Office (ICO) for failing to protect 400,000 customers from a card skimming breach two years earlier. That fine was heavily reduced from the £183m initially proposed by the data regulator.

Infamous hacking group Magecart had successfully injected code to the airline’s website to steal personal and financial data.

Cybersecurity experts welcomed the NCSC’s card-skimming alert but said retailers should take extra precautions to protect both their business and consumers.

“Retailers must focus on deploying and maintaining up-to-date assets, vulnerability, patch management, and configuration management programs,” Joseph Carson, chief security scientist at ThycoticCentrify, told UKTN. “To avoid skimming attacks, hold your cursor over any link to make sure the destination matches and looks legitimate before clicking on it.”

Ed Williams, EMEA director of SpiderLabs at Trustwave, told UKTN that the “timely” advice to update software was “a key aspect of information security but not the be all and end all”.

He added: “It’s vital that security be a focus all year round – security is not just for Black Friday!”

The NCSC made the warnings via its Active Cyber Defence programme, which aims to proactively warn UK businesses and consumers about cyber threats.

“Skimming and other cyber security breaches are a threat to all retailers,” said Graham Wynn, assistant director for consumer, competition and regulatory affairs at the British retail Consortium.

The British Retail Consortium strongly urges all retailers to follow the NCSC’s advice and check their preparedness for any cyber issues that could arise during the busy end of year period.”