The Canadian outpost of retailer Toys R Us on Thursday notified customers that attackers accessed a database, stole some of their personal information, then posted the data online.
In a Thursday breach disclosure notice emailed to affected customers and shared on social media, the toy shop said it discovered the digital break-in on July 30, after the intruders claimed to have posted stolen customer data “on the unindexed internet.”
A subsequent investigation found that the records were indeed stolen, and that the thieves had copied people’s names, addresses, phone numbers, and emails from the Toys R Us database.
“We’d like to stress that no passwords, credit card details, or similar confidential data were involved in this incident,” the company’s alert states.
The notification doesn’t explain when the compromise occurred, how long the miscreants had access to the Toys R Us network before swiping customer data, or whether they tried to extort the company before exposing the records online.
Toys R Us did not respond to The Register‘s questions about the details in the email, nor how many people’s details were stolen in the breach. We will update this story when we receive a response.
In the disclosure sent to customers, Toys R Us said it hired third-party cybersecurity experts to contain and investigate the security SNAFU. It is also in the process of reporting the intrusion to privacy regulatory authorities.
Businesses that leak customer data usually offer free digital identity and fraud monitoring services, because criminals can do all manner of mischief with the personal details stolen from Toys R Us’ database, including identity fraud and impersonation – especially when combined with other personal details easily found on social media sites – as well as personalized phishing attacks, doxxing, and even physical stalking and harassment.
However the toy retailer hasn’t offered such services to its customers.
While the company didn’t disclose who was responsible for the breach, a few notable data heists happened around the same timeframe in which Toys R Us says it spotted the stolen customer details online.
Beginning in the summer, a campaign abusing OAuth tokens via Salesloft’s Drift integration allowed attackers to access numerous companies’ Salesforce instances and steal customer data. Cloudflare reported the attack hit “hundreds” of organizations.
Additionally, CL0P-linked extortionists’ recent raid on Oracle E-Business Suite (EBS) may have begun as early as July, according to Google, with the crims compromising “dozens” of organizations. ®