Claire’s customers may have had their card payment details stolen after the brand and its sister company Icing were hit by a skimming cyber-attack.
The accessories retailer, which was forced to shut its entire physical store estate in 2018, saw its website hit by a ‘magecart’ attack from April 25 to June 13.
Magecart attacks see hacked illegally install software which makes copies of customers payment data at checkout and has become one of the leading causes of online fraud.
Claire’s has warned customers who made purchases during this period to be on the lookout for any unauthorised charges and alert their card providers fraud team if they see anything suspicious.
The retailer said it didn’t currently know how many customers had been affected, but that it had launched a full investigation into the matter.
Sansec discovered the breach and informed Claire’s on Friday, to which the brand “took immediate actions to investigate and address it”.
“Our investigation identified the unauthorized insertion of code to our e-commerce platform designed to obtain payment card data entered by customers during the checkout process,” the retailer added.
“We removed that code and have taken additional measures to reinforce the security of our platform. We are working diligently to determine the transactions that were involved so that we can notify those individuals.
“Cards used in our retail stores were not affected by this issue. We have also notified the payment card networks and law enforcement. It is always advisable for cardholders to monitor their account statements for unauthorized charges.
“The payment card network rules generally provide that cardholders are not responsible for unauthorized charges that are timely reported. We regret that this occurred and apologize to our customers for any inconvenience caused”
Magecart specifically targets online retailers, and has previously attacked British Airways, TicketMaster, Newegg, Feedify, Shopper Approved and a raft of smaller independent retailers.