Start-Rite, a well-known children’s shoemaker, is facing a major security incident that has compromised sensitive customer data. Between October 14 and November 7, 2024, an attack on the company’s website led to the exposure of customers’ payment card details. This included personal information such as card numbers, expiry dates, CVV codes, billing addresses, and customer names as they appeared on their cards. Start-Rite has informed affected customers, urging them to contact their banks immediately to block their cards and request replacements.
The breach, which stemmed from a third-party application integrated with the website, has raised significant concerns regarding the company’s cybersecurity protocols. Although Start-Rite has removed the malicious code and secured the site, this marks the second major security failure the company has experienced in the last eight years. The first breach, reported in 2016, involved less sensitive customer data, but the latest incident, with its full spectrum of payment card information exposed, has added to fears about the company’s ability to protect its customers’ financial security.
As a precaution, Start-Rite has advised affected customers to monitor their bank and credit card statements for any unauthorized transactions since October 14, 2024. The company is also cooperating with law enforcement agencies and has reported the breach to the UK’s Information Commissioner’s Office (ICO). However, despite its notification to customers, Start-Rite has not yet publicly acknowledged the breach on its website or through its social media channels, prompting further scrutiny over its communication practices.
Security experts have questioned how such a breach could occur, pointing out that compliance measures like PCI-DSS should help safeguard payment data. The attack highlights the risks of third-party integrations and the importance of ongoing supplier due diligence to ensure that external vendors are as secure as the company’s own systems. Experts suggest that the breach may have been caused by card skimming tools or a similar attack on the payment page, underlining the need for stronger protections against malicious online threats.
