‘Made in Oregon,’ the Portland-based online gift retailer that operates on the “madeinoregon.com” domain, has disclosed a massive security breach that involves highly sensitive data of its customers. More specifically, "magecart" actors have planted a data skimmer on its website and siphoned everything that customers entered on the order forms between the first week of September 2020 and the last week of March 2021. That’s a lot of time, and it should correspond to a voluminous set of stolen data.
As per the details provided in the notice of the data breach that was shared with the relevant data protection authorities in the U.S., clients of ‘Made in Oregon’ should consider the following exposed:
The company is currently working with third-party consultants and computer forensics experts to conduct a thorough review of what exactly happened. In the meantime, the website no longer accepts personal information from visitors and clients, and this will remain the case until the company is confident that the website is clean.
And to complement the response to this incident, the recipient of the notices is also provided with a 1-year membership to the Experian IdentityWorks service, which should keep them safe from identity theft attempts over the upcoming period. Unique activation codes for this have been included in each notice, so each customer is advised to look into their inbox.
If you have bought anything from ‘Made in Oregon’ between September 2020 and March 2021, consider your details compromised. This means treating all incoming communications with caution, monitoring your bank account statements, and reporting anything weird to the authorities or your card issuer.
Next time you would like to buy something online, either use an electronic payment method or an anonymous pseudo-credit card that is not linked to your bank account but can instead be topped up. In this case, it took ‘Made in Oregon’ quite a while to discover the security breach and do something about it, so the actors had plenty of time to exploit the stolen data.