Parenting retailer Kiddicare has come under fire after admitting that it has been hit by a data breach that exposed the names, addresses and telephone numbers of some of its customers, which it was using on a test website.
The firm has emailed 794,000 customers, who may have been affected by the breach, although exact details of which customers have been hit is still not known.
The email states: “We want to make you aware that Kiddicare has recently experienced unauthorised access to some customer details. The information accessed does NOT include any credit/debit card information or any payment details whatsoever. Kiddicare does not store any of this information on its systems.”
The company said it became aware of the data breach after customers reported suspicious text messages that had not been sent by Kiddicare. It was then contacted by a security company and was able to link the breach to a test website it had been using in November 2015.
However, security researcher Graham Cluley has slammed the firm using real customer data on the test site, saying: “It shouldn’t be forgotten that this was a test and things are expected to go wrong.”
Cluley also criticised the company for failing to post details of the breach prominently on its website. “There is currently no mention of the data breach on the Kiddicare website’s homepage or on its Twitter account,” he wrote. “I’m not sure that’s offering the best service for customers who, through no fault of their own, might now be at risk.”
The company was owned by Morrisons until 2014, when it was sold to private equity firm Endless LLP for £2m.