Emma Sleep Company admits checkout cyber attack

Customers wake to a nightmare as payment data pilfered from UK website

Emma Sleep Company has confirmed to The Reg that it suffered a Magecart attack which enabled ne'er-do-wells to skim customers' credit or debit card data from its website.

Customers were informed of the breach by the mattress maker via email in the past week, with the business saying it was "subject to a cyber attack leading to the theft of personal data" but not specifying in the message when it discovered the digital burglary.

"This was a sophisticated, targeted cyber-attack on the checkout process on our website and personal information entered, including credit card data, may have been stolen, whether you completed your purchase or not," the email to customers states.

The company confirmed to us it was a Magecart attack via the ubiquitous Adobe Magento e-commerce platform.

"This Magecart attack, which affected customers in 12 countries, involved a malicious piece of code that was added to checkout pages which would skim card data from within a user's browser. The attack was highly targeted, and the attacker created copy-cat URLs tailored to our environment."

The spokesperson said they could confirm that the "platform was kept up to date with all relevant security fixes."

In a classic Magecart attack, such as the one that exposed 40 million British Airways customers' data in 2018 (and for which it was fined £20m/$26m), dodgy folk use skimming techniques to pilfer punters' credit or debit card data.

Operatives get access to a site, either directly or via third-party services, and inject malicious JavaScript which then nabs the information as it is input.

Emma Sleep Company confirmed that its security measures had been "circumvented in a technically advanced way by how the Javascript code was implemented and loaded dynamically from the attacker's server and through highly sophisticated evasion techniques to avoid detection, as well as elaborate countermeasures to (unsuccessfully) prevent analysis, which is why the technology we had in place to keep track of scripts added to the page did not detect it."

It added: "Additional capabilities to detect such attacks have now been deployed. We are also in the process of implementing new CORS and CSP headers."

In February this year, Adobe issued two out-of-bounds patches in a single week when critical security bugs affecting its Magento/Adobe Commerce product emerged, with the vendor warning the vulns were being actively exploited.

Emma Sleep Company's CEO, Dennis Schmoltzi, confirmed in a statement to The Register that the cyber-attack "on the checkout process on our website" had occurred "between 27 January 2022 and 22 March 2022."

Schmoltzi added: "Personal customer information, including credit card data, was stolen. While we never process or store credit card data ourselves, the type of attack was redirecting information as it was typed into form fields in the browser of the user. As of today, we are not aware of any successful abuse of this data."

"As soon as we became aware of this attack, we took immediate action to remove the threat and ensure the security of data, launched a full investigation, and reported this to the relevant authorities, including the police. We also directly contacted all those customers who may have been affected."

CTO Andreas Westendörpf was interviewed talking about scaling up the company's Magento e-commerce solution in January. He told retail digitalization trade mag Location Insider (translated from German): "Magento has been continuously adapted and expanded over the years. In addition, more and more solutions were added that go in the direction of ERP and supply chain."

Currently there is "no evidence" personal or payment data has been abused in the wild, the company said to customers in the email. Nevertheless, it advised them to contact their banks or credit card provider and "follow their advice," and check for unusual or suspicious activity from the date of visiting the checkout page on Emma's website.

One customer that shared the email on the condition of anonymity said: "Apparently getting a good night's sleep means you now might not get a good night's sleep."

This isn't the finest moment for a rapidly expanding business that turned over $731m in 2021, up 59 per cent year-on-year – its eight fiscal year since being founded. It designs and makes "all-foam bed-in-a-box mattresses," a commodity that was seemingly in demand as people looked to make their homes more comfortable while under extended COVID lockdowns.

The German company operates in 18 countries including the US and China, and says it has won 75 awards for its sleep products.

Emma Sleep Company noted that it could answer all of our questions while police investigations continue.

A spokesperson at the ICO - Britain's data watchdog - said: "People have the right to expect that organisations will handle their personal information securely and responsibly.

"Emma, the sleep company has made us aware of an incident and we are assessing the information provided." ®

Other stories you might like

  • Despite global uncertainty, $500m hit doesn't rattle Nvidia execs
    CEO acknowledges impact of war, pandemic but says fundamentals ‘are really good’

    Nvidia is expecting a $500 million hit to its global datacenter and consumer business in the second quarter due to COVID lockdowns in China and Russia's invasion of Ukraine. Despite those and other macroeconomic concerns, executives are still optimistic about future prospects.

    "The full impact and duration of the war in Ukraine and COVID lockdowns in China is difficult to predict. However, the impact of our technology and our market opportunities remain unchanged," said Jensen Huang, Nvidia's CEO and co-founder, during the company's first-quarter earnings call.

    Those two statements might sound a little contradictory, including to some investors, particularly following the stock selloff yesterday after concerns over Russia and China prompted Nvidia to issue lower-than-expected guidance for second-quarter revenue.

    Continue reading
  • Another AI supercomputer from HPE: Champollion lands in France
    That's the second in a week following similar system in Munich also aimed at researchers

    HPE is lifting the lid on a new AI supercomputer – the second this week – aimed at building and training larger machine learning models to underpin research.

    Based at HPE's Center of Excellence in Grenoble, France, the new supercomputer is to be named Champollion after the French scholar who made advances in deciphering Egyptian hieroglyphs in the 19th century. It was built in partnership with Nvidia using AMD-based Apollo computer nodes fitted with Nvidia's A100 GPUs.

    Champollion brings together HPC and purpose-built AI technologies to train machine learning models at scale and unlock results faster, HPE said. HPE already provides HPC and AI resources from its Grenoble facilities for customers, and the broader research community to access, and said it plans to provide access to Champollion for scientists and engineers globally to accelerate testing of their AI models and research.

    Continue reading
  • Workday nearly doubles losses as waves of deals pushed back
    Figures disappoint analysts as SaaSy HR and finance application vendor navigates economic uncertainty

    HR and finance application vendor Workday's CEO, Aneel Bhusri, confirmed deal wins expected for the three-month period ending April 30 were being pushed back until later in 2022.

    The SaaS company boss was speaking as Workday recorded an operating loss of $72.8 million in its first quarter [PDF] of fiscal '23, nearly double the $38.3 million loss recorded for the same period a year earlier. Workday also saw revenue increase to $1.43 billion in the period, up 22 percent year-on-year.

    However, the company increased its revenue guidance for the full financial year. It said revenues would be between $5.537 billion and $5.557 billion, an increase of 22 percent on earlier estimates.

    Continue reading

Biting the hand that feeds IT © 1998–2022