This article is more than 1 year old

Emma Sleep Company admits checkout cyber attack

Customers wake to a nightmare as payment data pilfered from UK website

Emma Sleep Company has confirmed to The Reg that it suffered a Magecart attack which enabled ne'er-do-wells to skim customers' credit or debit card data from its website.

Customers were informed of the breach by the mattress maker via email in the past week, with the business saying it was "subject to a cyber attack leading to the theft of personal data" but not specifying in the message when it discovered the digital burglary.

"This was a sophisticated, targeted cyber-attack on the checkout process on our website and personal information entered, including credit card data, may have been stolen, whether you completed your purchase or not," the email to customers states.

The company confirmed to us it was a Magecart attack via the ubiquitous Adobe Magento e-commerce platform.

"This Magecart attack, which affected customers in 12 countries, involved a malicious piece of code that was added to checkout pages which would skim card data from within a user's browser. The attack was highly targeted, and the attacker created copy-cat URLs tailored to our environment."

The spokesperson said they could confirm that the "platform was kept up to date with all relevant security fixes."

In a classic Magecart attack, such as the one that exposed 40 million British Airways customers' data in 2018 (and for which it was fined £20m/$26m), dodgy folk use skimming techniques to pilfer punters' credit or debit card data.

Operatives get access to a site, either directly or via third-party services, and inject malicious JavaScript which then nabs the information as it is input.

Emma Sleep Company confirmed that its security measures had been "circumvented in a technically advanced way by how the Javascript code was implemented and loaded dynamically from the attacker's server and through highly sophisticated evasion techniques to avoid detection, as well as elaborate countermeasures to (unsuccessfully) prevent analysis, which is why the technology we had in place to keep track of scripts added to the page did not detect it."

It added: "Additional capabilities to detect such attacks have now been deployed. We are also in the process of implementing new CORS and CSP headers."

In February this year, Adobe issued two out-of-bounds patches in a single week when critical security bugs affecting its Magento/Adobe Commerce product emerged, with the vendor warning the vulns were being actively exploited.

Emma Sleep Company's CEO, Dennis Schmoltzi, confirmed in a statement to The Register that the cyber-attack "on the checkout process on our website" had occurred "between 27 January 2022 and 22 March 2022."

Schmoltzi added: "Personal customer information, including credit card data, was stolen. While we never process or store credit card data ourselves, the type of attack was redirecting information as it was typed into form fields in the browser of the user. As of today, we are not aware of any successful abuse of this data."

"As soon as we became aware of this attack, we took immediate action to remove the threat and ensure the security of data, launched a full investigation, and reported this to the relevant authorities, including the police. We also directly contacted all those customers who may have been affected."

CTO Andreas Westendörpf was interviewed talking about scaling up the company's Magento e-commerce solution in January. He told retail digitalization trade mag Location Insider (translated from German): "Magento has been continuously adapted and expanded over the years. In addition, more and more solutions were added that go in the direction of ERP and supply chain."

Currently there is "no evidence" personal or payment data has been abused in the wild, the company said to customers in the email. Nevertheless, it advised them to contact their banks or credit card provider and "follow their advice," and check for unusual or suspicious activity from the date of visiting the checkout page on Emma's website.

One customer that shared the email on the condition of anonymity said: "Apparently getting a good night's sleep means you now might not get a good night's sleep."

This isn't the finest moment for a rapidly expanding business that turned over $731m in 2021, up 59 per cent year-on-year – its eight fiscal year since being founded. It designs and makes "all-foam bed-in-a-box mattresses," a commodity that was seemingly in demand as people looked to make their homes more comfortable while under extended COVID lockdowns.

The German company operates in 18 countries including the US and China, and says it has won 75 awards for its sleep products.

Emma Sleep Company noted that it could answer all of our questions while police investigations continue.

A spokesperson at the ICO - Britain's data watchdog - said: "People have the right to expect that organisations will handle their personal information securely and responsibly.

"Emma, the sleep company has made us aware of an incident and we are assessing the information provided." ®

More about

TIP US OFF

Send us news


Other stories you might like