highwaystarz - Fotolia

Nursery and baby store Kiddicare puts its hand up to data breach after attack on a test site

Nursery and baby store Kiddicare suffers a data breach following a cyber attack on a test website that held real customer data

Details of 800,000 customers have been stolen from baby superstore Kiddicare, after a test site was hacked.

According to reports, hackers stole the data from a test site where real customer data was used for testing.

Kiddiecare’s CEOs Joe Murray and Richard Tucker wrote on the Kiddicare website: “We want to make you aware that Kiddicare has recently experienced unauthorised access to some customer details.

“The information accessed does not include any credit/debit card information or any payment information whatsoever. Kiddicare does not store any of this information on its systems.”

Website and software developers often use real data to test changes to code to ensure it works. This data can be made anonymous in a way that allows the application changes to be tested without revealing real customer data.

Security expert Grapham Cluley blogged: “In principal, there’s nothing wrong with using real production data on a test environment if the test site is properly secured and does not make it easier for hackers to steal information than, say, on the normal, live servers.

“But it shouldn’t be forgotten that this was a test site, and things are expected to go wrong.”

According to Cluley, Kiddicare only realised the data breach to a dataset used on a test site back in November 2015 happened after it was alerted by a security firm.

On its frequently asked questions page about the attack, Kiddicare said: “While there was no evidence that passwords were compromised, we have taken the precaution of automatically resetting all passwords. When you shop next, please use the auto update facility to reset your password.”

Read more about data breaches

Commenting on the data breach, David Emm, principal security researcher at Kaspersky Lab, said: “In this particular case, the leaked data contains information such as customer names, delivery addresses, phone numbers and e-mail addresses.

“Cyber criminals have the opportunity to use this information to steal personal identities or more. Unfortunately, once a breach of this nature has occurred, there is not much that can be done about the leaked data.

“While Kiddicare.com has taken the precaution of resetting customers’ passwords, the chances are that many will use the same password across multiple online accounts. So it’s important that Kiddicare customers take steps to change the password for other online accounts where they have used the same password.”

The loss of customer data highlights the inherent weakness in using passwords for wbesite authentication.

In April 2016 , the National Childbirth Trust admitted losing the log-in credentials of 15,000 people.

At the time, security expert James Romer, chief security architect at SecureAuth, said: “Passwords alone are simply not strong enough, nor adequate to protect vital applications and data.”

Read more on Privacy and data protection