Children's shoemaker Start-Rite confirms major security incident, full customer details leaked

Someone checking their credit card details online.

(Image credit: Pickawood / Unsplash)

Start-Rite notifies customers of a major data breach which saw credit card data exposed
The details about the attackers are unknown at this time
Users with purchases between October 14 and November 7 should scrutinize their bank statements

Children's footwear brand Start-Rite has confirmed suffering a painful data breach in which it lost customer payment information.

The company confirmed the breach in a message to affected customers, The Register revealed, however, not all details about the breach are known at this time, so we don’t know who the attackers were, how many people were affected, or how the breach occurred.

What we do know is that the incident happened between October 14 and November 7, as Start-Rite told customers in its data breach notification email. The information stolen includes full names - as seen on credit and debit cards - postal addresses to which the cards are registered, card numbers, expiry dates, and the CVV numbers. In other words - whoever took this information has everything they need to make online card purchases, commit wire fraud, identity theft, and more.

NHS and friends

"On 11 November, Start-Rite Shoes became aware that it had suffered a security incident via a third-party application code on www.startriteshoes.com," the company told The Register. "The breach potentially provided access to customer bank card information. The website is now secure and the malicious code and third-party app have been removed."

The company’s social channels, and its website, say nothing about the incident just yet, but Start-Rite advised customers to disable the cards and ask their banks for a new one, noting, "we would advise you to contact your bank or credit card provider and ask them to stop the card you used to pay us and issue you with a replacement. You may be able to do this immediately via your mobile banking or credit card app.”

The company also advised users to double-check all transactions from October 14 onward. “If you do see anything which appears strange, you should contact your bank or credit card provider, tell them that you did not authorize the transaction, and ask for a refund. You may wish to provide them with a copy of this email to support your request.”

Given the wording of the statement, this seems to have been a credit card skimmer code installed on the company’s ecommerce site, such as the one MageCart crooks used to drop.

MageCart attacks return to target hundreds of outdated ecommerce sites
Here's a list of the best firewalls around today
These are the best endpoint protection tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.