Fashion mart Miinto unzips breach details, warns shoppers to watch for phisherfolk

3 hours ago 8

security

Copenhagen company ‘sorry’ after 'perpetrator' pops order management system

Danish ecommerce company Miinto admitted an intruder has been looking at its order data, according to emails it sent to customers this week.

The emails, seen by The Register, do not comment on the scale of the data accessed by the perp or how exactly the breach occurred, although UK-based customers of the Copenhagen-HQ'd biz have received them.

“We are writing to let you know about a security incident that may have affected some of the personal data associated with a purchase you made on Miinto,” the email states. 

“We have reported this to the police and to the relevant data protection authority, and we are contacting you directly so that you know exactly what happened and what to watch out for. We know a notice like this can be unsettling, and we want to be as clear and transparent with you as we can.”

“An unauthorized party gained access to our internal order management system, and the perpetrator may have retrieved order data where your order data is potentially included,” it adds.

Miinto, an online marketplace for fashion brands, confirmed that names, email and physical addresses, and phone numbers were among the data types exposed to crooks. 

Customers’ payment methods were compromised too. The email explained this would reveal whether customers paid using a card, and what type of card, or pay-in-three services like Klarna, but the attack did not expose details such as card or verification numbers.

Miinto warned customers of the risk of phishing attacks that impersonate the brand and use the details swiped from the breach to make communications seem more convincing.

“We have taken this incident extremely seriously and have worked quickly to contain it,” the email states. 

It removed the intruder from systems and improved its security measures, increasing access controls on its order management system.

“We sincerely apologize for any concern or distress this notice may cause,” Miinto wrote. “Protecting the information you entrust to us is a priority we do not take lightly.

“We have already strengthened the security of our systems, and we are continuing to invest in measures designed to reduce the risk of anything like this happening again.”

The company did not disclose the attack via public channels, nor did it respond to The Register’s request for comment.

Founded in 2009, Miinto operates in 14 countries and in January reported annual revenues soaring 86 percent to 869 million kr ($132.9 million). ®

Read Entire Article