back to article Kids' shoemaker Start-Rite trips over security again, spilling customer card info

Children's shoemaker Start-Rite is dealing with a nasty "security incident" involving customer payment card details, its second significant lapse during the past eight years. That's according to a recent notification sent to customers, seen by The Register, which didn't clarify exactly what the nature of that trouble was, …

  1. Terry 6 Silver badge

    Good for Barry

    I have a nasty suspicion that Start-Rite may not have been in too much of a hurry to give this widespread publicity.

    1. Korev Silver badge
      Coat

      Re: Good for Barry

      Well, it's not the sole problem they've had...

  2. MatthewSt Silver badge

    Might need to give their security team the boot...!

    1. Korev Silver badge
      Coat

      I was waiting for someone to shoe in a pun...

  3. BartyFartsLast Silver badge

    Well someone didn't start right if they haven't been encrypting complying with PCI and GDPR regs

  4. Bendacious Silver badge

    11 scripts from 6 providers

    Just visited the Start-Rite checkout payment page and it loads 11 scripts from 6 different 3rd parties. It probably loads more if you allow those 11 scripts but my browser add-ons won't. This really sounds like someone injected Magecart into one of the many 3rd parties having a party on their payment page. It is possible to see this sort of attack coming but you have to be looking.

    1. Anonymous Coward
      Anonymous Coward

      Re: 11 scripts from 6 providers

      Scripts are not necessarily malicious but from 2025 the PCI Data Security Standard introduces more controls around scripts and integrity of the content delivered to the cardholder’s browser for this very reason - you can hack the card holder without there being anything apparently wrong on the e-commerce server.

      BTW, Magecart is a generic name for malicious script attacks, not a specific attack. You cannot inject Magecart, it is just the addition of a malicious script to a system to scrape card data. Magecart derived from Magento, the platform these types of attacks were most commonly seen, but this site is not a Magento installation

    2. hoola Silver badge

      Re: 11 scripts from 6 providers

      And this will be common practice for so many websites.

      This always has been a disaster waiting to happen. It was the case of the BA fiasco a few years ago.

      It is cheaper to just outsource something or buy a service, most developers are not interested in security or the implications of the decisions they take.

      It is the future!!! (Or the past for the last 5 or more years.

  5. MrBanana

    Squished

    Still can't get over my fear of kids shoe fittings after so many visits to Clarkes and having my foot painfully squished into one of those metal "measuring" devices. I guess it was better than being irradiated by an X-Ray foot measuring Fluoroscope popular in the US since the 1920s.

    1. Captain Badmouth

      Re: Squished

      Clarkes had loads of fluoroscopes in their uk shops in the 1950’s.

      Pity the poor shop assistants who had to operate the things.

  6. TKW

    Forget about encryption.... last time I checked, you weren't allowed to store CVV, so there'd be no chance of it being stolen. Hmm...

    1. sabroni Silver badge

      you weren't allowed to store CVV

      Hmm.... Maybe read the article before commenting?

      "Firstly that data could have been stored, this would be the worst outcome. Next on the list of possibilities is stealing the data when it has been entered into the system. A likely cause of this is card skimming type tools that we've seen attackers use in the past in previous breaches. I suspect that this is the most likely cause. These tools largely inject malicious JavaScript into online payment systems to then steal and forward the entered card details to the attackers."

  7. tiggity Silver badge

    Liked this line

    "These tools largely inject malicious JavaScript into online payment systems to then steal and forward the entered card details to the attackers."

    A huge issue is that most payment systems require lots of JavaScript (& often third party). As someone who surfs with JS disabled by default on "new" sites I visit, and then configure JS allow lists on a per site basis (or in many cases, just give up as there is so much needless JS!) I can say that online payment is a PITA*.

    * You go to make a payment & that fires off a whole new lot of scripts and domains that you need to assess for safety (or lack of)**

    ** Which is why I like companies with an online presence but that still also have a telesales option (a virtual beer to Richer Sounds*** & similar companies)

    *** Though their site is also, unfortunately, a fine example of too many different sources of JS

    1. Captain Badmouth

      I made apoint of complaining to one that my daughter was trying to buy from.

      The reply was that the scripts didn’t matter as all the data was being entered into an iframe.

      Anyone find this re-assuring?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like