Housewares giant OXO hit hard by Magecart

Kitchen and office goods giant OXO has been notifying customers of a data breach — a task it has performed multiple times over the past few months after the credit card skimming malware Magecart was found on its e-commerce website.

In a letter obtained by CyberScoop dated Dec. 26, the company says it discovered “the security of certain personal information” had been compromised via the company’s website during three distinct time frames:

• June 9, 2017 — Nov. 18, 2017
• June 8, 2018 — June 9, 2018
• July 20, 2018 — Oct. 16, 2018

The latest discovery was made on Dec. 18, 2018, according to the notice. Over the past year, security researchers have found instances of Magecart on OXO’s website. The malware, which has been found to be used by several different groups, skims various information from billing forms used on e-commerce sites.

The December notice comes as OXO had previously issued breach notification letters in October. In those cases, the company stated that it discovered “an outside source inserting unauthorized code on OXO’s website that collected information entered into the customer order pages.”

The time frame in the October letters says the website had been compromised between July 1, 2018 and Oct. 1, 2018.

In both the October and December letters, OXO believes that information regarding name, business and shipping address, and credit card information was stolen.

OXO’s parent company, Helen of Troy, did not respond to CyberScoop’s multiple requests for comment.

Magecart has been named as the culprit in multiple data breaches regarding e-commerce sites. Over the past six months, the malware has been found on sites run by British Airways, Ticketmaster UK, Newegg, and BevMo.