Garmin SA customers beware: your credit card details might be stolen

Garmin South Africa reported a security breach that resulted in its customers' credit cards compromise

Garmin SA experienced a data breach: customers' credit card details and other sensitive information exposed

Sports gadget and GPS device producer Garmin South Africa experienced a data breach that affected customers who purchased goods from shop.garmin.co.za. On September 12th, South Africa Managing Director Jennifer Van Niekerk started sending out the notifications to the affected users, explaining that their sensitive information has been breached:^[1]

We recently discovered theft of customer data from orders placed through shop.garmin.co.za (operated by Garmin South Africa) that compromised your personal data related to an order that you placed through the website.

According to the statement, the exposed information included users' names, surnames, email, and physical addresses, as well as payment card numbers, expiration dates, and the CVV codes. However, Van Niekerk did not provide any further details on the hack itself, although many speculations were exposed by multiple online sources.

Garmin Ltd. is an American tech company established in 1989, and specializes in automotive, marine, aviation, outdoor and sports GPS products. As of 2018, the company employed 13,000 people worldwide, including Garmin SA (previously known as Garmin Distribution Africa) which was acquired by Garmin in 2011.^[2]

At the time of the writing, shop.garmin.co.za remains offline “due to maintenance downtime or capacity problems.”

The stolen information can be used for fraud – Garmin SA customers should take actions to prevent it

CCV codes, full names, credit card number and other compromised data is enough for cybercriminals to commit fraud and make illegal purchases – the affected customers should immediately take action to prevent money loss and identity theft. Jennifer Van Niekerk urged users to monitor their credit card card transactions via online banking to ensure no unauthorized purchases were made. Those who notice suspicious activity should immediately contact the bank for further instructions.

While the Director apologized for the incident, it does not make it any better for the affected users, as their credit scores might be affected. Data breaches can negatively impact peoples' lives, as even their identity might be at risk of being stolen by criminals.^[3]

Senior research manager for cloud and IT services at IDCJon Tullett told ITWeb about the incident:^[4]

These sorts of leaks are so common, it makes a mockery of ‘we take data privacy seriously’ disclaimers. Getting POPIA [Protection of Personal Information Act] into full effect at this late stage is unlikely to make much difference. Unfortunately, a deeper rethink of personal credentials is needed to render stolen information valueless to hackers.

Magecart hacking group suspected targeting Garmin SA

Typically, data breaches that affect online portals are connected to an unprotected database left for everybody to see or incorrectly configured API. However, the problem affecting Garmin SA seems to be more universal and rather a consequence of a hack than the leaky bucket that was left open.

Even though there are no details provided by Garmin SA on what exactly happened and who the attackers were, many experts believe that the attackers were related to the notorious Magecart group.

Magecart is an umbrella name for multiple criminal gangs which specialize in e-commerce website skimming – inserted an obfuscated JavaScript allows the attackers to harvest the most sensitive data that customers enter while making purchases Hackers are known to previously compromise an online ticket company Ticketmaster, the carrier airline British Airlines, online retailer Newegg,^[5] and many other firms.

Security researcher Jérôme Segura also speculates that the attack is related to Magecart:^[6]

Today Garmin disclosed a breach for its South African shopping portal 'shop[.]garmin[.]co[.]za' (now in maintenance mode).
While the cause is not mentioned, the kind of stolen data (typical checkout form fields) and the CMS (Magento) sound like a Magercart skimmer.