Toys"R"Us Canada breach reportedly exposes shopper data
The Canadian subsidiary of Toys”R”Us is reportedly notifying customers some of their personal data may have been leaked in a cyberattack several months ago.
According to The Canadian Press, Toys”R”Us Canada sent an email to some customers on Thursday, Oct. 23 stating that on Wednesday, July 30, it had discovered a post on the “unindexed web” with information the poster said had been stolen from the Toys”R”Us Canada customer database.
The email, which has also reportedly been posted at least in part by users on the social network X, did not specify whether the post containing Toys”R”Us Canada data occurred on the deep web, which consists of pages not indexed by search engines, or the dark web, which is only accessible with certain software.
In the email, the retailer said customer names, addresses, emails and phone numbers may have been exposed in the attack. Although Toys”R”Us Canada did not give a reason why it waited almost three months to notify customers, the company said it “immediately hired third-party cybersecurity experts who confirmed an “unauthorized third party” had copied some records from its customer database.
In an email to Chain Store Age, Chris Hauk, consumer privacy champion at Pixel Privacy, said Toys”R”Us may have been investigating the matter during the past three months.
"Negative points for Toys "R" Us for taking so long to reveal the breach, although it may have taken them that long to determine what data had been stolen," Hauk said.
Toys”R”Us Canada also said no passwords, credit card numbers or other confidential information was exposed and that not all customers were necessarily affected. So far, the retailer has not seen any evidence that any information stolen in the breach has been misused in any way.
In the email, the company apologized for causing any inconvenience or concern and said it is working on improving its cybersecurity and is in the process of reporting the incident to authorities. Toys”R”Us Canada has not yet responded to a Canadian Press request for comment.
[READ MORE: Verizon: Retail cyberattacks on the rise]
"Toys "R" Us customers should be on the lookout for targeted phishing emails and text messages from scammers posing as Toys "R"Us or a related company,” Paul Bischoff, consumer privacy advocate at Comparitech,” said in .commentary emailed to Chain Store Age. “The scammers can use the info from the breach to personalize their messages and make them more convincing. Fortunately, none of the breached data poses a direct threat to customers' finances or accounts. It does not include passwords, Social Security numbers, or taxpayer info, for example."