Major Canadian Retailer Discloses E-commerce Breach
Toys “R” Us Canada has officially confirmed a data breach impacting customers who made purchases through its e-commerce website. The company began sending notification letters in May 2024, detailing a security incident where an unauthorized party gained access to customer information. According to the notice, the breach occurred between December 1, 2023, and January 10, 2024. The incident was discovered after the retailer identified suspicious online activity related to its e-commerce platform. The breach was attributed to malicious code that had been injected into the website’s checkout pages via a third-party vendor’s services.
Details of the Compromised Information
The investigation into the breach determined that a range of personal and financial data was exposed. Information accessed by the unauthorized actors includes customer names, billing and shipping addresses, email addresses, and phone numbers. Additionally, the Toys “R” Us loyalty program numbers for approximately 43,000 members were compromised. For a specific group of customers who completed online checkouts between November 2023 and January 10, 2024, partial payment card information was also exposed. This sensitive data includes credit card numbers, card expiration dates, and the CVV security codes. The company has confirmed the malicious code responsible for the data theft has been removed.
Company Response and Customer Support
Following the discovery, Toys “R” Us Canada engaged third-party cybersecurity experts to secure its systems and investigate the extent of the incident. The company has also reported the breach to the appropriate Canadian privacy regulatory authorities. To assist those affected by the data exposure, Toys “R” Us Canada is offering two years of complimentary credit monitoring services through TransUnion of Canada. The notification letters sent to impacted customers include instructions and an activation code to enroll in the identity protection service.
Concise Cyber 