Well.ca credit card security breach affects thousands of customers

Canadian online health store Well.ca is warning its customers that a security breach at the retailer over the holidays may have led to their credit cards and other personal information being stolen.

An e-mail sent to “a small group” of Well.ca customers on February 18th said they believe consumers who shopped online between December 22, 2013 and January 7, 2014 may have been affected.

I am one of those customers. I broke the story on Twitter.

After posting, Well.ca CEO Rebecca McKillican contacted me to explain what happened and why consumers were only notified today when security was breached over a month ago.

During the holidays a hacker gained access to Well.ca’s website through a third-party vulnerability, and accessed the personal information of first-time customers entering their credit card data to make a purchase. The security breach was fixed January 7th during a routine software update. Over the last several weeks, Well.ca determined which customers were affected, and were able to get the information needed to move forward from their payment processor and credit card providers approximately one week ago.

“We’ve only known all the information in the last five days,” said Ms. McKillican via phone. “We noticed that a few things were funny with our system in that time period, but what we didn’t know was how many people were affected and what information was taken. We needed those pieces to notify customers.”

The email sent to notify customers of the breach outlines the data stolen.

“Unfortunately, your name and billing address, credit card number, credit card expiry date and the CVV code which you supplied to Well.ca during this time period may have been part of the information that could have been obtained,” writes Ms. McKillican in the email message.

Email with Subject: Important Well.ca security notice

well.ca

Well.ca is a popular Canadian e-retailer that sells health, beauty, and baby goods online. Founded in 2008, Well.ca is backed by a number of investors.

Who got hacked? What can Well.ca customers do?

“Only a few thousand customers were affected,” said Ms. McKillican via phone. The security breach targeted new customers making a first-time purchase and older customers updating their personal information during the December 22, 2013 and January 7, 2014 time frame.

First-time customers who entered Visa, MasterCard, or American Express credit card numbers during the breach timeline are being asked by Well.ca to contact their financial institutions to monitor their accounts.

Another option is to place a “Fraud Alert” on your account. If you get charged by your credit issuer for monitoring your account due to the breach, Well.ca said they will cover the cost. To get reimbursed, call Well.ca’s customer support line (1-866-531-2654) and give them your mailing address for a cheque covering the costs.

I won’t deny that having a compromised credit card stinks. Luckily I only use a specific card for online transactions.

Maybe you should too.

UPDATE: Well.ca has posted a statement on the security breach.

Love,
Kerry

Your two cents:

  1. ashley February 18th, 2014

    Well that explains a lot! I made a purchase on Jan 6th on well.ca and not even two weeks later my credit card was compromised. I couldn’t figure out where it could have happened. My card has been cancelled and I now have a new one, but it’s a huge pain dealing with the bank and all. This is disappointing that they’ve taken so long to notify customers.

  2. Kerry February 18th, 2014

    @Ashley Did you get the email from Well.ca?

  3. Ashley February 18th, 2014

    @Kerry: Yes I did. Once I saw your post, I logged into my email (because I made a purchase in early January) and there was an email from Well.ca with the same notification you were sent.

  4. Tracy February 19th, 2014

    I shopped on Jan 1st, but paid via Paypal… I’m assuming that means I’m safe? Do you have an opinion on Paypal?

  5. michelle February 19th, 2014

    Does applying a “fraud alert” affect one’s credit rating?

  6. Stephanie McEvoy February 19th, 2014

    Thank you so much for sharing this story Kerry. I joined well.ca in Sept 2013 so I did not get any type of email.

  7. Ajka February 19th, 2014

    Well, that’s lovely. The other day it was Target (though I believe it was only US Target but I don’t know for sure), a while ago it was CIBC.
    Aren’t these companies doing any audits to test the security of their data?

    Michelle, a fraud alert should not affect your credit rating.
    I had a fraud alert on my credit after I reported my wallet stolen (unbeknownst to me, the entire week it sat in the grocery store’s safe, even though when I called them a day after they told me no wallet had been turned in) and basically if I wanted to purchase an item the price of which exceeded a specific amount, I had to call them ahead of time. I noticed that they must have removed the fraud alert on their own (I did not ask for it) since they don’t do it any more.

  8. shipcarpenter305 February 19th, 2014

    What frosts my shorts is all these faceless corporations losing our credit information deny any culpability for damages to our personal finances. If I did that to you, I would correctly be sued and found liable. Why not them?

  9. Dan @ Our Big Fat Wallet February 20th, 2014

    Did they ever elaborate on exactly what happened? Just curious as to what a “third party vulnerability” is and whether it’s something that other sites have

  10. Something similar happened in South Korea recently, though the scale was much larger compared to Well.ca. Three largest credit card companies were hacked and the huge chaos that resulted led to the dismissal of the top bosses. These stories are becoming all too familiar and credit card companies don’t really have an excuse for guarding their databases ineffectively.

  11. Kevin Kassil February 27th, 2014

    My credit card was used fraudulently a few days before Well.ca sent its warning letter. They never should have retained the credit card and CVV numbers in their system. This is unacceptable.

    Telling customers they must “protect themselves” by contacting Equifax, an organization they have no relationship with, is not an appropriate response.

  12. vancouver b February 27th, 2014

    I got this email too. I found it completely unacceptable and have sent them a request under privacy legislation (BC’s PIPA and PIPEDA) to know who this “third party service provider” is. They refuse to tell me to date. My written request was made only last week so I am waiting for their final reply before I pursue an appeal with the privacy commission. Very suspicious though that they won’t say who the third party is. And I feel that they are required to do so by law, as you have a right under the privacy legislation to know, on written request to an organization, who as used or disclosed your personal information. I would suggest anyone else affected by this issue to also make a request. The provisions for your request can be found at s.23 of PIPA (BC’s privacy legislation – http://www.bclaws.ca/Recon/document/ID/freeside/00_03063_01#section23) and Schedule 1 sec. 4.1 of PIPEDA (http://laws.justice.gc.ca/eng/acts/P-8.6/page-19.html#h-25). You then contact the privacy commissioner if they refuse to provide you with the information and the privacy commissioner will conduct a review if appropriate. BC privacy commisioner – http://www.oipc.bc.ca/ Canada Privacy Commission – http://www.priv.gc.ca/index_e.asp

  13. andrew March 2nd, 2014

    This type of problem is becoming more and more prevalent now days, especially during the holiday season when shoppers are spending more and noticing less and less of what goes on with their accounts. I always watch mine and notice anything odd which I didn’t do.

  14. Jeff March 17th, 2014

    While the recommendation of a separate credit card for online purchases sounds like a good idea, it actually doesn’t help much, if at all. I work in the software industry and deal with credit card systems and I can tell you that the vast majority of credit card information is stolen servers that are just as likely to handle credit card info from brick and mortar stores as they are to have data from online storefronts.

    That being said, it’s nice to have an uncompromised card to fall back on, when thieves get their dirty little fingers on one of yours.

Leave a reply:

Your email address will not be published. Required fields are marked with a "*".

*

*

Technorati Profile