Charmin'. Garmin admits customers' full credit card data nicked from South African web store

Updated GPS and wearables maker Garmin has warned customers in South Africa that their personal info and payment data were pinched after they shopped on the shop.garmin.co.za portal.

The stolen data, which the emailed notice said was limited to Garmin's South Africa site, included customers' home addresses, phone numbers and emails as well as all the information needed for a criminal to make purchases using their payment cards, not to mention gain a foothold into identity fraud.

In the breach notice, attributed to Garmin's South Africa MD, Jennifer Van Niekerk, the firm explained the "recently discovered theft of customer data from orders" included "the number, expiration date and CVV code for your payment card, along with your first and last name, physical address, phone number and email address".

A Reg reader based in South Africa, who made a purchase from the vendor in early 2018, said Garmin's response had fallen short, with no offer on the table for fraud protection and no explanation given.

The shopping portal (https://shop.garmin.co.za) has been hauled offline but appears to have been running on the popular Magento ecommerce platform – formerly owned by eBay and last year acquired by Adobe to be borged into its Experience Cloud enterprise CMS platform. As Reg readers will recall, cross-site scripting vulns were first found on versions of Magento back in 2016, prompting urgent calls for merchants to patch their installations.

The flaws made unpatched Magento shops vulnerable to carding malware, and miscreants flinging the Magecart card-slurping variant, among others, took full advantage in the months and years after.

Dutch developer Willem de Groot found in October of the same year that hackers had installed skimming scripts on more than 6,000 online stores running vulnerable versions of Magento, and as recently as November last year, toff tat bazaar Sotheby's Home was struck. It is not known if this is how the Garmin data was snaffled, and we've asked the firm to clarify.

Such skimming badware would allow miscreants to slurp the data as it was being typed into a form, rather than, say, accessing any stored data. The implication for customers in that scenario is that the malware could theoretically have been in place for some time.

Readers who use Magento can make sure their systems are patched as per the recommendations from the Magento Security Center here.

We've asked Garmin South Africa about the number of people whose data was accessed, its storage and encryption of payment data, the nature of the problem, and how it intended to protect its customers and will update if we hear more.

The South African arm is listed in Garmin US's annual reports and on its website as a subsidiary, though the sales data is not broken down into countries. Garmin hauled in total revenue of $3.34bn in fiscal '18 (PDF), ended December 29, $1.2bn of which was attributable to the EMEA region. Its operating income for the year was $778m, 14 per cent growth over the prior year's $683m.

The notice did contain an apology along with the expected bit about taking data protection "seriously" along with a piece of advice. "We recommend that you review and monitor your payment card records to make sure there were no unauthorized purchases."

Quite. ®

Updated at 16:36 UTC 13 September to add:

Garmin confirmed to The Reg that criminals had indeed used "card skimming tech" to capture details as they were input and fingered a contractor which it did not name. It told us the e-commerce site "was operated by a third party on behalf of Garmin South Africa.

"Promptly after learning of this incident, we immediately shut down the impacted system, began an investigation, and contacted the South African Information Regulator.

"While Garmin does not store credit card information, the unauthorized party leveraged virtual skimming technology to capture customer details at the time of input, including credit card information." It added that the incident was isolated to a few thousand customers who accessed the SA portal: "This incident affected less than 6,700 customers in South Africa and does not affect customers who purchased from other Garmin websites in other regions."

It said it was "working on safeguards to prevent future attacks".