Canadian online health store Well.ca is warning its customers that a security breach at the retailer over the holidays may have led to their credit cards and other personal information being stolen.

An e-mail sent to “a small group” of Well.ca customers on February 18th said they believe consumers who shopped online between December 22, 2013 and January 7, 2014 may have been affected.

I am one of those customers. I broke the story on Twitter.

After posting, Well.ca CEO Rebecca McKillican contacted me to explain what happened and why consumers were only notified today when security was breached over a month ago.

During the holidays a hacker gained access to Well.ca’s website through a third-party vulnerability, and accessed the personal information of first-time customers entering their credit card data to make a purchase. The security breach was fixed January 7th during a routine software update. Over the last several weeks, Well.ca determined which customers were affected, and were able to get the information needed to move forward from their payment processor and credit card providers approximately one week ago.

“We’ve only known all the information in the last five days,” said Ms. McKillican via phone. “We noticed that a few things were funny with our system in that time period, but what we didn’t know was how many people were affected and what information was taken. We needed those pieces to notify customers.”

The email sent to notify customers of the breach outlines the data stolen.

“Unfortunately, your name and billing address, credit card number, credit card expiry date and the CVV code which you supplied to Well.ca during this time period may have been part of the information that could have been obtained,” writes Ms. McKillican in the email message.

Email with Subject: Important Well.ca security notice

well.ca

Well.ca is a popular Canadian e-retailer that sells health, beauty, and baby goods online. Founded in 2008, Well.ca is backed by a number of investors.

Who got hacked? What can Well.ca customers do?

“Only a few thousand customers were affected,” said Ms. McKillican via phone. The security breach targeted new customers making a first-time purchase and older customers updating their personal information during the December 22, 2013 and January 7, 2014 time frame.

First-time customers who entered Visa, MasterCard, or American Express credit card numbers during the breach timeline are being asked by Well.ca to contact their financial institutions to monitor their accounts.

Another option is to place a “Fraud Alert” on your account. If you get charged by your credit issuer for monitoring your account due to the breach, Well.ca said they will cover the cost. To get reimbursed, call Well.ca’s customer support line (1-866-531-2654) and give them your mailing address for a cheque covering the costs.

I won’t deny that having a compromised credit card stinks. Luckily I only use a specific card for online transactions.

Maybe you should too.

UPDATE: Well.ca has posted a statement on the security breach.

Love,
Kerry