Russian security house Group-IB said it discovered and reported to FILA UK malware known as GMO that was active on the fashion brand's website for the past four months – and may have sniffed the payment card information of thousands of customers placing online orders through the tainted pages.
What's worse, the researchers reported that, despite multiple attempts to reach FILA, they have been unable to get the card-data-stealing code removed.
FILA did not respond to our request for comment on the allegation.
Card-stealing code that pwned British Airways, Ticketmaster pops up on more sites via hacked JSREAD MORE
In short, don't order anything from FILA online, and if you have, contact your bank and check your statements.
"Cybercriminals might have injected a malicious code by either exploiting a vulnerability of Magento CMS [content management system], used by FILA.co.uk, or simply by compromising the credentials of the website administrator using special spyware or cracking password with brute force methods," Volkov added.
Just how many customers could have fallen victim to the attack is difficult to say. Group-IB used a loose estimate based on monthly traffic figures and a one per cent conversion rate (ie, 1 per cent of people who visit the site end up buying something) to arrive at an estimated figure of around 5,600 compromised cards.
Updated to add