Aussie fashion e-tailer Princess Polly suffers data breach

Australian online fashion e-tailer Princess Polly suffered a data breach which may have exposed customers’ personal and payment information to an “unidentified third party”.

The company warned customers in an advisory note to watch their credit or debit card statements closely and to report unusual activity to their bank.

While it did not store payment information on the Princess Polly site, the company said that the attackers may have been able to capture payment details as they were typed into the site.

“When you enter payment information on our site, it is redirected to a payment gateway which means that Princess Polly does not process the payment information and it is not stored by Princess Polly,” it said.

“However, during this incident the third party may have been able to access credit card details while being entered at check-out.”

Princess Polly said that the data breach had been uncovered “recently” and that it impacted customers that shopped on its A/NZ site between 1 November 2018 and 29 April 2019.  

In addition to payment details, the attacker or attackers may also have been able to access billing and shipping name, address, email and phone number, date of birth; and usernames and passwords.

Customers that used alternative payment options did not have their payment information compromised, according to the company.

The e-tailer warned customers to change their passwords and to be vigilant against phishing and other scams that may attempt to make use of stolen information.

“For those customers who made purchases using Afterpay or PayPal, there is no evidence to suggest that your payment information has been affected,” Princess Polly said.

Co-CEO Wez Bryett said that the e-tailer had “appointed external IT and cybersecurity consultants to fully investigate the incident.”

“These experts have confirmed that our website is now secure, including any personal or payment information provided when shopping with Princess Polly,” Bryett said.

“We are extremely sorry that this incident has occurred. At Princess Polly, we have always prided ourselves on doing the best we can for our customers and apologise for any impact this incident has on our customers.

“We take the protection of our customers' data very seriously and have further strengthened our security measures to ensure that our customers' information is secure.”

The e-tailer said that it has now upgraded its payment gateway provider to Braintree, “a PayPal owned company, who meet the highest security standards”.

It said that its US website was not affected by the incident.