In a cyber attack on Carpetright, hashed passwords may have been stolen. The flooring store has reported this to the privacy authorities in the Netherlands and Belgium.
In a response to Tweakers, Carpetright says it was affected by the cyber attack. The cybercriminals gained access to the passwords of all 30,000 Carpetright account holders from the Netherlands and Belgium. In the process, the hashed or encrypted versions of the passwords were also leaked, reports the flooring store in an email to its customers.
The attack was carried out via installed malware in the website’s backend. It would not be ransomware.
Through this malware, the cybercriminals could capture customers’ names, addresses, phone numbers and e-mail addresses, among other things. They also gained access to passwords hashed via SHA 256. The passwords were stored in the same database as the other data. No financial or payment information was captured.
Investigation and privacy notifications
Meanwhile, in cooperation with specialists, Carpetright is conducting forensic investigations into the cyber attack. Among other things, they are investigating what data was leaked and whether it was leaked. In addition, the flooring store has now reset all customers’ passwords and informed them.
The Dutch and Belgian privacy authorities have been notified of the data breach. This is according to obligations under GDPR laws and regulations.
Incidentally, Carpetright’s website does not refer to the reported data breach anywhere.
Read also: EuroParcs reports data breach; data restored via backup
17 hours ago
