Kiddicare has admitted a cyberattack which has exposed sensitive data belonging to 794,000 users.
According to Kiddicare (.PDF), the company became aware of the data breach after customers began receiving suspicious text messages.
While the company only sends text messages related to product delivery, these messages — most likely part of a phishing campaign — attempted to lure customers to click a link and take an online survey.
Kiddicare provides child toys and accessories for customers in the United Kingdom. The company has been criticised for not advertising the breach in a transparent fashion on either social media accounts or the front home page of the retailer’s website; instead, emails were directly sent to affected users.
Users which have had their accounts compromised have had their names, delivery addresses, email addresses and telephone numbers exposed, although the UK retailer insists no financial data was included in the breach.
Kiddicare insists the threat level for victims is “low,” but that statement is up for debate, as such a dataset — including names, addresses and phone numbers — can be valuable when it comes to social engineering campaigns or identity theft.
The company says it has reported itself to the UK’s Information Commissioner (ICO).
In related news, software-as-a-service (SaaS) company UserVoice has recently admitted a cyberattack has exposed information belonging to customers, made worse through the weak hashing of stored passwords.