Canadian online retailer Well.ca has suffered a data breach and may have lost the credit card information of some customers.
In an email to customers, the company admitted it had been hacked—in December or January. Several thousand customers' information—including addresses and full credit card information—may have been compromised, and Well.ca waited well over a month before notifying customers of this. There is a reason for that delay though, according to CEO Rebecca McKillican, who was interviewed by Candice So.
An attacker managed to get access to Well.ca’s website through a vulnerability, gaining access to customers’ credit card data as they typed it in for the first time to make a purchase. The vulnerability was closed Jan. 7 when the service provider did a routine change of security measures on Well.ca’s account. The service provider then informed Well.ca about two weeks ago, and Well.ca got further confirmation about the breach from its credit card provider less than a week ago.
“Because it was a small subset of customers [affected], our first priority was to contact those customers, and we’ve been using all of our resources this morning and early afternoon to reach out to those customers,” McKillican told So yesterday.