Well.ca, a Canadian online retailer for health and beauty products, has suffered a data breach, losing the credit card information of “a few thousand” of its customers.
In an email to its customers today, Well.ca said one of its service providers was “illegally compromised” between Dec. 22, 2013, and Jan. 7, 2014. The company lost names, billing addresses, credit card numbers, credit card expiry dates, and the CVV codes for a “few thousand” customers, says Rebecca McKillican, Well.ca’s CEO, in an interview. She didn’t reveal the number of customers, but said only first-time customers, who made their first purchase between Dec. 22, 2013, and Jan. 7, 2014, are affected, she adds.
During that time period, an attacker managed to get access to Well.ca’s website through a vulnerability, gaining access to customers’ credit card data as they typed it in for the first time to make a purchase. The vulnerability was closed Jan. 7 when the service provider did a routine change of security measures on Well.ca’s account. The service provider then informed Well.ca about two weeks ago, and Well.ca got further confirmation about the breach from its credit card provider less than a week ago.
For repeat customers, their credit card information has not been compromised because their data is stored with a payment processor, not with Well.ca or its service providers, McKillican says.
“Because it was a small subset of customers [affected], our first priority was to contact those customers, and we’ve been using all of our resources this morning and early afternoon to reach out to those customers,” she says.
However, Kerry Taylor, a Well.ca customer, says she feels the company should have spoken up earlier via social media.
“I think they should have been honest about it up front, and used social media to their advantage in order to let people know that credit card numbers were breached, and to give the specific situations that would cause such a breach,” says Taylor, who blogs about consumer finance at Squawkfox.com.
Taylor received an email notifying her about the breach this morning, and she says she was the first to tweet about it earlier this morning. She has also contacted both her credit card provider as well as Well.ca’s customer support line.
@journeydan A security breach at a Canadian retailer is a big deal. Waiting weeks to notify customers of identity theft is also a big deal.
— Kerry K. Taylor (@squawkfox) February 18, 2014
Claudiu Popa, CEO of Informatica Security Corp., says he feels Well.ca should have encrypted its customers’ credit card data. Even if Well.ca says it’s not storing this data, it must be sending on the data to its payment processor in an unencrypted form, giving hackers free access to it, he adds.
“Just the fact that Well.ca has discovered the breach is to be commended. The fact is, most organizations in Canada have very, very limited capability to detect breaches,” Popa says, adding companies don’t bother to invest in security monitoring technologies that would tell them if they’ve suffered a breach.
“Unfortunately, we see retailers by the dozens who fail to be compliant with the [Payment Card Industry’s Data Security Standard]. The lack of awareness in Canada is to blame, and the failure of legislation to impose requirements to beef up security monitoring is really the reason why we have a false sense of security in Canada.”
The best way for consumers to downplay the risks of shopping online is to stick to buying from companies that have an integrated credit card processing service attached, like PayPal, he says.
For her part, Taylor says she would advise consumers to use just one credit card for online shopping, and to keep this card at a low maximum limit, just in case there’s a breach.
“I think Well.ca is a perfect example. They’re a small Canadian company, you would think you were safe shopping on Canadian soil, and you’re not safe anywhere. So you just have to be vigilant and careful,” she says.
In the meantime, Well.ca recommends that customers do a careful check of their credit card statements, as well as sign up for a free credit report from Equifax. And for customers who have had their credit card information breached, McKillican says, the company will be reviewing their situations on a case-by-case basis.