Description
Squishable, a New York based company that makes cute and cuddly companion toys for children, suffered what is referred to as a Magecart attack that affected nearly 16,000 customers back in 2022. These types of attacks are carried out by injecting malicious scripts into e-commerce sites to steal payment information. In Squishable’s case, the malicious code was present on their website from May 26 to October 12, 2022, capturing sensitive data. The information collected by the attackers included customers’ names, addresses, and payment card details that included card numbers, security codes, access codes, and PINs. Squishable discovered the data breach after conducting an internal investigation and began notifying affected customers on March 2, 2023.
Basis of the Case
In May 2023, a class action lawsuit was filed against Squishable, alleging that the company failed to adequately protect sensitive personal information of its customers. The suit claims that Squishable violated its own privacy policy and neglected to implement proper security measures, including:
- Failing to encrypt customers’ personally identifiable information (PII)
- Not investing in necessary encryption technology
- Neglecting to install timely updates, patches, and malware protection
The plaintiffs assert that they and other class members suffered various damages due to the data breach including invasion of privacy, financial costs incurred mitigating the incident, loss of time and productivity incurred during the mitigation and financial costs that have occurred because of the data theft.
Award Settlement
A $500,000 settlement for the Squishable data breach was announced on October 29, 2024. The final approval hearing for this settlement is set for February 6, 2025.
Call to Action
Attacks such as the one experienced by Squishable can lead to financial losses due to fraudulent transactions, chargebacks, and lost revenue from stolen payment information. They can also significantly damage a company’s reputation by eroding customer trust or facing legal repercussions and hefty fines for PCI DSS non-compliance. Some of the recommended security measures you can take to secure yourself against such attacks include the following:
- Conduct frequent scans of your website to detect any unauthorized or malicious code.
- Organizations that host their own e-commerce platform should use real-time monitoring tools to detect and alert you to any changes in their website code.
- Adopt a zero-trust approach by implementing the principle of least privilege (PoLP), limiting system access to only essential personnel, and enforcing robust access controls with multifactor authentication (MFA) for all administrative functions.
- Ensure that all software is regularly updated and patched to effectively address vulnerabilities and eliminate insecure code.
- Use a web application firewall (WAF) to detect and block malicious traffic and injection attempts.
- Any company that accepts card payments must ensure that your security strategy incorporates PCI DSS compliance measures
Another measure is to conduct regular penetration tests and risk assessments. HALOCK has specialized experts that can offer an unbiased and comprehensive view of your vulnerabilities and ensure compliance with regulatory requirements. With our unique insight on establishing ‘reasonable security’, you can better manage your risks in the event of a breach. Contact us and learn how we can uncover hidden vulnerabilities and validate your existing security measures.
HALOCK recognized in 2024 Verizon Data Breach Investigations Report (DBIR) on how to estimate risk.
Estimate risk based on real threat data. Read Appendix D in the 2024 Verizon Data Breach Investigations Report (DBIR) to augment your risk analysis.