14 DAY TRIAL // Cybercriminals managed to bypass the security measures available for the website of Lime Crime cosmetics and infected the web server with malware that intercepted payment information from customers.
The company discovered the incident after cyber forensics specialists carried out an investigation. It was found that only credit card purchases were affected and that the data for customers relying on PayPal payment solution has not been impacted by the incident.
Malware lurked on the server for four months
It appears that the malware was planted on the server and carried out its nefarious activity between October 4, 2014 and February 15, 2015. Every transaction between this timeframe is believed to have been intercepted.
According to information from Lime Crime, the compromise was discovered on February 11, 2015.
The details the malware peeked into include names, address, website log-in credentials, payment card account numbers, card expiration date, and the CVV (card verification value) of the card (the three numbers on the back).
As per the Payment Card Industry Data Security Standard (PCI DSS), merchants should not store the CVV codes on their infrastructure; they are required for card-not-present transactions as a way to verify that the buyer is in the possession of the physical card.
Company forces password reset on accounts
The measures taken by Lime Crime to solve the issue include taking the website offline for cleaning procedures and to prevent further theft of personal information. Moreover, the company switched to a different e-commerce platform that is certified to be PCI compliant.
Anyone making a purchase on the website in the aforementioned time interval should review the past credit and debit card accounts for unusual activity that may be indicative of a fraud attempt.
The company also used its Facebook and Twitter social media profiles to alert its clients of the incident.
In an abundance of caution, Lime Crime also forced a password reset on all customer accounts and advises users to rely on unique passwords for any online services they log into.
Identity protection service is being offered free of charge, for one year, by Lime Crime to the affected customers, who can call Experian credit bureau in the US to report fraudulent transactions on their cards.
The activation code for the service is included in the letter notifying them of the security incident.
We wanted to update you on our recent security incident and what we did to address it. Because we take your... http://t.co/mYlRsF1hHP
— Lime Crime (@limecrime) February 25, 2015
[UPDATE, February 28]: :Lime Crime announced that the credit and debit card data of customers using PayPal to make a purchase has not been impacted.
However, their log-in credentials have been exposed during the incident. They have also been delivered a notification letter by the company.
To eliminate the risks, Lime Crimes has initiated a password reset procedure, urging users to rely on unique passwords for accessing online accounts.