Jewson payment card breach affects almost 1,700 customers

The personal information of almost 1,700 customers has potentially been exposed after builders merchant Jewson suffered a data breach. The affected data is said to include “names, location, billing address, password, email, phone number, payments details, card expiry dates and CVV numbers” and “may have fallen into the hands of an unauthorised person”.

According to recent reports, the incident happened on 23 August but was only discovered on 3 November, meaning that the hackers had a substantial amount of time to do as they wished. It is not known at this stage how the breach was detected.

Upon discovery, the Jewson Direct website was taken offline in a bid to prevent further damage and will not be available until investigations are complete. The Information Commissioner’s Office (ICO) has been informed and will no doubt launch an investigation of its own.

Jewson has written to customers advising them of the breach and is offering them “complimentary 12 month memberships to Experian ProtectMyID” as a precautionary measure.

A Jewson spokesperson told The Register:

At this stage we are aware that a foreign piece of code was encrypted into the Jewson Direct (formerly Jewson Tools Direct) website. The code has been identified and removed, and we are investigating the breach of security and any related potential loss of information/personal data. No card data is stored by Jewson, however, until the investigation has been completed, customers have been informed of a potential breach of card data as an advisory measure.

We follow the Payment Card Industry Data Security Standard (PCI DSS). The Jewson Direct website has been taken offline and will not be turned back on until we are informed by independent third parties that any security issues have been corrected.

Although Jewson said that it ‘follows’ the PCI DSS, it is unclear whether it is actually compliant with the Standard. All businesses of all sizes that take credit or debit card payments need to be compliant with the PCI DSS. The Standard is there to protect both businesses and customers.

We offer a number of products and services to help with PCI DSS activities, including consultancy, penetration testing, training, staff awareness and books.

For further information, please refer to our PCI DSS datasheet.