UK firm HIDS4U, which sells Xenon HID headlight conversion kits, reversing cameras, parking sensors and other high-tech gear for motorists, has warned customers to be wary of phishing emails after it came to light that past customers were being targeted by scammers, and a database of customers was found on a hacked website.
News of the breach first surfaced on Wednesday on a discussion of the PistonHeads online motoring forum PistonHeads, after HIDS4U customers reported receiving phishing emails from the company, claiming to offer a free Dash Cam as a loyalty reward.
Clicking on the link contained within the email would take users to a scam webpage posing as HIDS4U, but in reality hosted on a Texan orthopaedic centre’s hacked website.
In the web server’s folder a CSV file containing the names, email addresses and postal addresses of 4179 customers was found.
PistonHeads forums members contacted HIDS4U, who have now emailed their customer base warning of the threat, and advising users to not fall for “Special Deal” and “Free Gift” offers that they might receive via email.
“It looks like our site was breached some time ago (we’re still investigating the exact time frames) and it is this data that is being used. It looks like they have obtained email, name and address details. However please be aware that we do not and have never stored any credit/debit card details. Therefore they would not be able to take any payments from your account unless you act on the phishing emails.”
Customers who have already acted upon the scam emails, and handed over their payment card details, are advised to cancel the compromised cards and keep an eye open for any fraudulent payments.
HIDS4U says that it takes security “very seriously”, and that there is “no sign” that its site is currently breached.
Well, maybe it is taking security more seriously now. But that doesn’t explain how data managed to spill out of the company, and it doesn’t excuse the lack of any mention of the data breach on HIDS4U’s website, its Twitter account, or Facebook.
I would expect any company serious about security to have gone out of its way to ensure that users were kept informed about what was going on – at the very least a mention on their website would have reassured users who received the warning email that what they had received was itself legitimate.
I don’t know whether HIDS4U has informed the UK’s Information Commissioner’s Office (ICO) about the security breach or not. I did contact them to ask, but they haven’t responded.
<Company> says that it takes security "very seriously", and that there is "no sign" that <…>
Standard, meaningless wordage issued by every company that has a security wobble. No company appears to suffer overmuch as a result of their bad security, so why waste effort (= money) when words are much cheaper.