In a significant cybersecurity incident that remained undetected for nearly nine months, SelectBlinds, an Arizona-based window coverings retailer, has disclosed a massive data breach affecting 206,238 customers. The breach began on Jan. 7 and was only discovered on Sept. 28, when the company identified suspicious activity on its website, as detailed in breach notifications filed in Maine and California.
Scope Of the SelectBlinds Data Breach
Through their investigation, SelectBlinds discovered that attackers had gained access to customers’ names, email addresses, shipping and billing information, phone numbers, and most critically, complete payment card details including card numbers, expiration dates and CVV security codes. For customers who logged into their accounts during checkout, their website credentials were also compromised.
The attack methodology bears the hallmarks of sophisticated e-skimming operations, commonly known as Magecart attacks. These attacks represent an increasingly prevalent threat in the e-commerce landscape, where cybercriminals inject malicious JavaScript code into website checkout pages. This creates an invisible net that captures customer data in real-time as unsuspecting shoppers complete their purchases.
Understanding E-skimming and Magecart Attacks
Imagine you’re shopping at your favorite online store, entering your credit card information to buy something. What you can’t see is that a digital pickpocket might be silently copying every keystroke you make—this is e-skimming.
When cybercriminals successfully infiltrate an e-commerce website, they insert malicious code that acts like a secret camera pointed at the checkout page. Every time a customer types in their credit card number, security code, or personal information, this invisible code makes a perfect copy and sends it to the criminals.
What makes these attacks particularly dangerous is their stealth. In SelectBlinds’ case, “an unauthorized third party embedded malware on the SelectBlinds website that allowed data scraping on sales transactions that were entered on the check-out page”. The website continued working normally—customers could still make purchases, the pages loaded correctly, and nothing seemed amiss. This invisibility allowed the attack to continue undetected for approximately eight months.
Think of it like a compromised ATM—except instead of placing a physical card skimmer on the machine, criminals place digital code on the website. The difference is you can often spot a physical card skimmer, but this digital version is completely invisible to shoppers.
These attacks have become increasingly common because they’re both lucrative and hard to detect. Unlike stealing data from a company’s database where the information might be encrypted, e-skimming captures the data at the moment customers type it in, before any encryption takes place.
How Has SelectBlinds Responded?
SelectBlinds’ response to the discovery included immediate containment measures. “We quickly contained the incident and eradicated the malware and elements of unauthorized access,” the company stated in its notification letter. Additional steps included increased monitoring, improved security controls, and system reinforcement.
Protecting Yourself From Sophisticated Payment Fraud
The SelectBlinds breach isn’t an isolated incident but part of a broader trend in payment card theft. According to Recorded Future’s 2023 Payment Fraud Intelligence Report, cybercriminals are becoming increasingly sophisticated, combining technical attacks like e-skimming with social engineering tactics. In 2023 alone, over 119 million stolen payment cards were posted for sale on dark web markets, resulting in billions in preventable fraud losses.
The SelectBlinds breach reflects a growing pattern of sophisticated payment card theft that has caught the attention of law enforcement worldwide. Recent actions by Russian authorities against alleged Magecart hackers underscore the global nature of this threat. These cybercriminals are part of an increasingly sophisticated ecosystem that targets e-commerce platforms to steal payment card data.
