- E-commerce company named AeroGrow International was infected with credit card stealing malware.
- The period of infection spans over six months, making the incident particularly severe.
- The company offers one year of ‘Experian’ card monitoring and protection services to their customers.
AeroGrow International, a Colorado-based company that sells indoor gardening products, has announced a severe security incident and has circulated notices of a data breach to the affected. According to the details given in the announcement, the company has discovered that their website was compromised by a malware tool that was able to steal payment information from customers who bought products through its e-commerce platform. The internal investigation yielded alarming results, as the malicious code snippet remained hidden on the vendor’s payment page between October 29, 2018, and March 4, 2019, when it was finally discovered.
The data that has been leaked may include the payment card numbers, expiration dates, and even the CCV/CVV numbers of the cards used for payment on the e-commerce platform. AeroGrow clarifies that no PII (personally identifying information) has been leaked, as they are not collecting any data of this type whatsoever. This means that social security numbers, personal identification numbers, driver’s license numbers, and any other kind of financial account information are safe. While this sounds relieving, the leaking of the complete credit card information is enough on its own to cause trouble to their lawful holders.
To sooth this part of the incident as well, AeroGrow has decided to offer one year of credit card activity monitoring and identity protection services at no cost for the affected customers. This service will be provided through the ‘Experian IdentityWorks Plus’ solution, so anyone who has received the relevant breach notice is urged to take advantage of this offering and enroll to the protection program until July 7, 2019. Each notice is accompanied by a unique “Engagement Number” that makes the affected eligible for this service, so make sure to keep it handy throughout the upcoming months, in case you notice any fraudulent activities on your credit card billing reports.
The reason why it took AeroGrow about a month to distribute these breach notices is that they were conducting an internal investigation to figure out who has been affected and in what way. The law enforcement has been notified as required by the local regulations, and cybersecurity specialists have been helping AeroGrow figure out what happened over the period of this past month. What has not been clarified yet is the number of customers that may have had their credit card data stolen, but considering that the malicious code remained planted in their network for over six months, it is likely to be a large number.