Hackers stole payment data from Garmin South Africa shopping portal

Garmin, the multinational company focused on GPS technology for automotive, aviation, marine, outdoor, and sport activities is victim of a data breach.

Garmin is the victim of a data breach, it is warning customers in South Africa that shopped on the shop.garmin.co.za portal that their personal info and payment data were exposed.

The stolen data, included customers’ home addresses, phone numbers, emails, and credit card information that could be used to make purchases (i.e. Card number, expiration date and CVV code for your payment card).

“We recently discovered theft of customer data from orders placed through shop.garmin.co.za (operated by Garmin South Africa) that compromised your personal data related to an order that you placed through the website,” said Jennifer Van Niekerk, South Africa Managing Director.

“The compromised data was limited to only Garmin’s South Africa site, and contained payment information, including the number, expiration date and CVV code for your payment card, along with your first and last name, physical address, phone number and email address.”

Garmin SA recommends customers to review and monitor all their payment card records for any purchases, it seems that the company is not offering to the impacted customers any fraud protection service.

Impacted customers have to contact their bank or payment card provider.

The breached shopping portal was using the popular Magento ecommerce platform, it was shut down after the security breach was discovered.

The Register contacted Garmin South Africa to receive more info on the incident, the company confirmed that the attackers used a software skimmer to siphon customers payment details.

Garmin explained that the e-commerce site “was operated by a third party on behalf of Garmin South Africa.”

“Promptly after learning of this incident, we immediately shut down the impacted system, began an investigation, and contacted the South African Information Regulator.” Garmin told to ElReg.

“While Garmin does not store credit card information, the unauthorized party leveraged virtual skimming technology to capture customer details at the time of input, including credit card information.” It added that the incident was isolated to a few thousand customers who accessed the SA portal: “This incident affected less than 6,700 customers in South Africa and does not affect customers who purchased from other Garmin websites in other regions.”

When dealing with such kind of attacks, most of them were carried out by an umbrella of hacking crews that are tracked as Magecart, but at the time their involvement was not demonstrated by any security firm.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – data breach, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]