The Canadian branch of Toys R Us informed customers on Thursday about a significant data breach that compromised their personal information. The incident, which occurred on July 30, involved attackers accessing a database and subsequently posting the stolen data online.
In a breach disclosure notice sent via email to affected customers and shared on social media, the toy retailer confirmed that the intruders had indeed stolen customer records. The compromised data includes names, addresses, phone numbers, and email addresses, but notably, no passwords or credit card information was involved, according to the company”s alert.
The notice did not provide specific details regarding when the breach took place or the duration of the attackers” access to the Toys R Us network prior to the data theft. Additionally, it remains unclear whether the hackers attempted to extort the company before making the information public.
Despite inquiries from The Register regarding the specifics of the breach and the total number of affected customers, Toys R Us has not yet provided a response.
In their disclosure, Toys R Us mentioned that they have engaged third-party cybersecurity experts to investigate and contain the breach. The company is also in the process of reporting the incident to relevant privacy authorities.
Typically, companies that experience data breaches offer complimentary digital identity and fraud monitoring services to affected customers. Such measures are crucial as the stolen personal information can lead to identity theft, phishing attacks, and other criminal activities when combined with publicly available information from social media. However, Toys R Us has not extended such services to its customers following this incident.
While the company did not disclose the identity of the perpetrators, it coincides with several other notable data breaches that have occurred around the same time. For instance, an ongoing campaign exploiting OAuth tokens through Salesloft”s Drift integration has allowed attackers to access numerous organizations” Salesforce accounts and extract customer data. Reports indicate that this attack affected hundreds of businesses.
Moreover, there are indications that a recent attack associated with the CL0P group on the Oracle E-Business Suite may have started as early as July, compromising numerous organizations.
