14 DAY TRIAL // An online vendor of physical safes and vaults has been hit by cybercriminals who planted malicious code on its eCommerce website and captured details of orders placed by customers.
Although SafeandVaultStore touts its products as “the ultimate theft deterrent,” it looks like it failed to protect its online assets and left sensitive information belonging to its clients exposed to cyber-attacks.
The shop offers a wide range of products, that are capable of withstanding both human-generated physical aggression as well as natural disasters such as fire and hurricanes, which are more of a threat for valuables and important documents in certain parts of the US than burglars.
Company applies patch to eCommerce software
The incident was discovered on April 28 and the company says that it took the necessary measures to prevent a similar event from happening again.
It appears that the cause of the breach was outdated software, which has been patched after removing the malicious code. The company also reviewed its policies and procedures to make sure that customer information stays protected.
The eCommerce software used by SafeandVaultStore is Magento, which made headlines in the security news in April, when details about a critical remote code execution vulnerability were disclosed by Check Point researchers, who dubbed it Shoplift.
A patch for the security hole was released on February 9, but two months later about 100,000 online shops still did not apply it, although security researchers warned that exploits had been seen in the wild. Cybercriminals exploiting the flaw could steal databases with payment information.
Free identity protection services offered for 1 year
It is unclear if SafeandVaultStore was compromised via Shoplift, but in a letter to affected customers the company notes that names, addresses, credit or debit card numbers, security codes, expiration dates, phone numbers, and email addresses were exposed to the attacker.
To minimize the effect of the compromise on the impacted customers, SafeandVaultStore offers them a free subscription for one year to an identity protection service, which monitors if the pilfered personal information is being traded online.