Children's shoemaker Start-Rite confirms major security incident, full customer details leaked

Someone checking their credit card details online.
(Image credit: Pickawood / Unsplash)

  • Start-Rite notifies customers of a major data breach which saw credit card data exposed
  • The details about the attackers are unknown at this time
  • Users with purchases between October 14 and November 7 should scrutinize their bank statements

Children's footwear brand Start-Rite has confirmed suffering a painful data breach in which it lost customer payment information.

The company confirmed the breach in a message to affected customers, The Register revealed, however, not all details about the breach are known at this time, so we don’t know who the attackers were, how many people were affected, or how the breach occurred.

What we do know is that the incident happened between October 14 and November 7, as Start-Rite told customers in its data breach notification email. The information stolen includes full names - as seen on credit and debit cards - postal addresses to which the cards are registered, card numbers, expiry dates, and the CVV numbers. In other words - whoever took this information has everything they need to make online card purchases, commit wire fraud, identity theft, and more.

NHS and friends

"On 11 November, Start-Rite Shoes became aware that it had suffered a security incident via a third-party application code on www.startriteshoes.com," the company told The Register. "The breach potentially provided access to customer bank card information. The website is now secure and the malicious code and third-party app have been removed."

The company’s social channels, and its website, say nothing about the incident just yet, but Start-Rite advised customers to disable the cards and ask their banks for a new one, noting, "we would advise you to contact your bank or credit card provider and ask them to stop the card you used to pay us and issue you with a replacement. You may be able to do this immediately via your mobile banking or credit card app.”

The company also advised users to double-check all transactions from October 14 onward. “If you do see anything which appears strange, you should contact your bank or credit card provider, tell them that you did not authorize the transaction, and ask for a refund. You may wish to provide them with a copy of this email to support your request.”

Given the wording of the statement, this seems to have been a credit card skimmer code installed on the company’s ecommerce site, such as the one MageCart crooks used to drop.

You might also like

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A man looking at a tablet with a brown Best Buy package on the desk in front of him
Huge Christmas data breach - 14 million shipping records leaked, putting shoppers at risk
A person holding a credit card in one hand while typing on a laptop keyboard with the other.
Zagg warns customers their data may have been stolen in third-party cyberattack
A person with a laptop using a credit card online.
Avery label maker confirms attack on its site, customer credit card info stolen
Casio logo
Casio’s online store hit by bogus credit card stealing checkout form
A computer being guarded by cybersecurity.
Wacom warns users their data may have been stolen in breach
A person holding a credit card in one hand while typing on a laptop keyboard with the other.
Green Bay Packers online store used to steal fan credit card details
Latest in Security
Data leak
Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Latest in News
Hisense U8 series TV on wall in living room
Hisense announces 2025 mini-LED TV lineup, with screen sizes up to 100 inches – and a surprising smart TV switch
Nintendo Music teaser art
Nintendo Music expands its library with songs from Kirby and the Forgotten Land and Tetris
An image of Pro-Ject's Flatten it closed and opened
Pro-Ject’s new vinyl flattener will fix any warped LPs you inadvertently buy on Record Store Day
The iPhone 16 Pro on a grey background
iPhone 17 Pro tipped to get 8K video recording – but I want these 3 video features instead
EA Sports F1 25 promotional image featuring drivers Oscar Piastri, Carlos Sainz and Oliver Bearman.
F1 25 has been officially announced, with this year's entry marking a return for Braking Point and a 'significant overhaul' for My Team mode
Garmin clippd integration
Garmin's golf watches just got a big software integration upgrade to help you improve your game