Animates data breach affects thousands of online customers
New Zealand pet supplies retailer Animates has shut down its website after it was hit by a data breach, affecting 2700 customers.
The company says anyone who has purchased items from its website should keep an eye on their bank statements.
Between June 29 and September 13, an as-yet-unknown third party breached its website and may have accessed customers' personal information and payment details.
"Through our investigation to date credit/debit card data has been targeted through the breach. Any personal information shared with us may have also been impacted by the incident. This could include your address, phone number, email address, username or password," the company explains on its website.
The company adds that it doesn't hold customers' credit and debit card data on its own servers – instead it is held with banks via a secure payment gateway.
The breach seems to be caused by malicious software that infected the website and remained undetected. The company only found the breach after a security audit. Once Animates discovered the breach, it shut down the website and began an investigation.
That investigation is ongoing as it works with external security consultants, and the website remains offline as of September 24. The company also says it has notified relevant legal and privacy authorities.
"We've engaged third party IT security experts to investigate all possible vulnerabilities and there is a chance we may not find this who has been impacted by this incident. We are taking a proactive approach to directly notify the potential risk of all 20,000 customers that have entered personal information on our site," a statement says.
"We take the protection of our customers' data very seriously and we are launching a new website that has passed security audits from third party security specialists. This website is due to go live in the coming days.
The company says that customers who paid for items in physical stores; and those who used PayPal or Layby to pay for purchases online have not been affected by the breach.
"We will be emailing our customers soon to notify them the new website is live and to create a new password for their account.
Animates suggests that customers should:
- Monitor credit card/debit activity closely: For customers that used a credit or debit card to make a purchase during the impacted period, you should monitor your credit/debit card statements closely and report any unusual activity to your bank.
- If the credit/debit card you used on our website does not belong to you, please take steps to bring this email to the cardholder's attention so that they can take steps to prevent potential misuse.
- Change similar passwords across other sites. If you use the same password that you used to access Animates across other websites (such as email, social media, online banking etc); we would encourage you to reset these passwords as a precaution.
- Keep a look out for email, telephone and text-based scams.
"We unreservedly apologise this incident has occurred. At Animates, we have always prided ourselves on providing great experiences for our customers," the company concludes.
Animates customers who have any further questions or concerns can email privacyofficer@animates.co.nz or visit www.animates.co.nz/data-breach for more information.
Those who are concerned about their credit or debit cards should contact their bank.