[BreachExchange] Garmin SA Shopping Portal Breach Leads to Theft of Payment Data

Destry Winant destry at riskbasedsecurity.com
Fri Sep 13 10:17:59 EDT 2019


Garmin Southern Africa (Garmin SA) disclosed today in a series of
notifications sent to its customers that payment and sensitive
personal information were stolen from orders placed on the
shop.garmin.co.za shopping portal.

Garmin SA was previously a Garmin distributor named Garmin
Distribution Africa (GDA) before being acquired by Garmin, a global
leader in satellite navigation, on September 2011.

In a press release published on July 31, 2019, Garmin announced a
"Record second quarter revenue of $955 million, a 7% increase, with
aviation, marine, fitness and outdoor collectively increasing 12% over
the prior year quarter."

Payment info including CVV codes stolen

"We recently discovered theft of customer data from orders placed
through shop.garmin.co.za (operated by Garmin South Africa) that
compromised your personal data related to an order that you placed
through the website," said Jennifer Van Niekerk, South Africa Managing

"The compromised data was limited to only Garmin’s South Africa site,
and contained payment information, including the number, expiration
date and CVV code for your payment card, along with your first and
last name, physical address, phone number and email address."

Garmin SA recommends its customers to review and monitor all their
payment card records for any unauthorized purchases.

Affected customers who received the data security incident
notification are also urged to reach out to their bank or payment card
providers if they see or suspect any fraud.

"As a valued customer, we apologize for this incident and assure you
that Garmin takes our obligation to safeguard personal data very
seriously," added Van Niekerk.

Possible Magercart skimming incident

While the cause of the breach is not mentioned in the notification
email to the impacted Garmin SA customers, there are signs that the
shop.garmin.co.za portal was the victim of a Magecart group.

Currently, the breached shopping portal is now in maintenance mode and
it displays a "Service Temporarily Unavailable" message with the
following explanation: "The server is temporarily unable to service
your request due to maintenance downtime or capacity problems. Please
try again later."

Seeing that the portal runs on a Magento CMS there is a high
probability that the Garmin SA customers' data was harvested with the
help of a payment card skimmer embedded on the site's payment page
according to

"While the cause is not mentioned, the kind of stolen data (typical
checkout form fields) and the CMS (Magento) sound like a Magercart
skimmer," said Malwarebytes security researcher Jérôme Segura.

Magecart groups are highly effective and continuously evolving
cybercrime groups that have been around since at least 2015, operating
campaigns as active as ever four years later.

As RiskIQ's head of threat research Yonathan Klijnsma said in a report
from May 1 analyzing the expansion of Magecart activity to OpenCart
and OSCommerce stores, "for every Magecart attack that makes
headlines, we detect thousands more that we don’t disclose."‏

BleepingComputer asked Garmin SA to pinpoint the cause of the incident
and to give an estimate of the total number of users impacted but had
not heard back at the time of this publication. This article will be
updated when a response is received.

More information about the BreachExchange mailing list