Grilling supplies retailer Charbroil and cosmetics maker Tatcha were hit by hackers who accessed payment card information that shoppers entered during the online checkout process.

At least two online retailers have notified customers that their e-commerce sites were hacked recently. Malware installed on the sites collected shoppers’ payment data and personal information, such as addresses and phone numbers.

Japanese cosmetics manufacturer and retailer Tatcha began notifying shoppers earlier this month that its site had been breached sometime in early 2017.

“An unauthorized person may have gained access to information keyed into the Tatcha checkout process. While Tatcha does not store credit card information on its systems, the intruder was potentially able to capture information as it was entered,” according to a letter to consumers from Tatcha that was posted on the California attorney general’s website. The captured information may include a person’s credit card security code, basic credit card information, billing address and a shopper’s Tatcha password, according to Tatcha, which states that it discovered the hack in April.

A Tatcha spokeswoman says the company is in the process of upgrading its systems.

“We took down our site temporarily to perform maintenance and make sure the issue is taken care of, and are conducting an internal review of our systems to help further harden our defenses against similar attacks in the future,” she says. Tatcha did not specify how many shoppers were affected by this breach nor how long it took down its site for.


Tatcha wasn’t the only retailer to fall victim to this kind of an attack.

Barbecue equipment manufacturer and retailer Char-Broil sustained a similar breach. Char-Broil, in a letter, which a customer posted to online message board Reddit, informs customers that a hacker implemented malicious code on its website that gave criminals access a shopper’s payment card information and billing information.

E-commerce firms risk significant revenue loss and negative consumer confidence.
Chris Olson
The Media Trust

Shoppers who bought from between March 22 and April 21 could have been affected by this breach, according to the letter. Char-Broil states that it is working with payment card providers and law enforcement on the incident. It also says it is upgrading its systems, according to the letter. Char-Broil did not immediately return requests for comment, but calls to its customer service line about the breach are transferred to a service number where customer inquiries about the breach are addressed.

Security experts say if a retailer notices it has fallen victim to a similar hack, the first thing it needs to do is meticulously evaluate all code on its website.

A recent rash of malware attacks has targeted mid-tier e-commerce providers across the United States, the United Kingdom and India, in such industries as apparel, home goods and beauty, says Chris Olson, CEO of website security software vendor The Media Trust.


“Echoing a similar scenario observed over Memorial Day weekend in 2016, the bad actor injected a transparent overlay on top of the credit/debit card information block on a payment page so that a victim’s financial information is surreptitiously collected and sent to another party, not the e-retailer,” Olson writes in his blog. “Considering these e-commerce firms earn anywhere from a $10,000 to $400,000 a day, the e-commerce firms risk significant revenue loss and negative consumer confidence.”

The Media Trust does not identify the names of websites experiencing breaches and would not comment on Charbroil or Tatcha. The Media Trust estimates that a dozen e-commerce sites were affected by this type of attack.

In checking website code for issues, an e-retailer should realize “the most accurate malware detection method involves scanning all code for anomalous behavior, not just malware signatures, by using real audience profiles,” Olson tells Internet Retailer. “Only through emulating a true website visitor—through a multitude of browsers and operating systems, devices and geography combinations, along with distinct cookie-based user behavior profiles—can an enterprise identify and block the thousands of active malware infections propagating in the digital environment,” he says.

If retailers uncover a breach, they should immediately reach out to the vendors they work with and have those vendors audit their own software and verify that what’s being used to run the site is authentic. “It’s likely the malicious activity is executing through a third-party vendor. Instead of pulling your website offline, call the compromised vendor and tell them to stop executing until they can confirm it is clean,” Olson says.