Charmin’. Garmin admits customers’ full credit card data nicked from South African web store

GPS and wearables maker Garmin has warned customers in South Africa that their personal info and payment data were pinched after they shopped on the portal.

The “stolen” data, which the emailed notice said was limited to Garmin’s South Africa site, included customers’ home addresses, phone numbers and emails as well as all the information needed for a criminal to make purchases using their payment cards, not to mention gain a foothold into identity fraud.

In the breach notice, attributed to Garmin’s South Africa MD, Jennifer Van Niekerk, the firm explained the “recently discovered theft of customer data from orders” included “the number, expiration date and CVV code for your payment card, along with your first and last name, physical address, phone number and email address”.

A Reg reader based in South Africa, who made a purchase from the vendor in early 2018, said the Garmin’s response had fallen short, with no offer on the table for fraud protection and no explanation given.

Our reader was also concerned about what looked like an apparent storing of payment data over an extended period of time, opining: “It’s weird that they were still hanging on to my (since expired) card details, and I wonder why it hasn’t occurred to them that the less customer info they hold, the lower the risk to the company itself if a breach does happen.”

The shopping portal ( has been hauled offline but appears to have been running on the popular Magento ecommerce platform – formerly owned by eBay and last year acquired by Adobe to be borged into its Experience Cloud enterprise CMS platform. As Reg readers will recall, cross-site scripting vulns were first found on versions of Magento back in 2016, prompting urgent calls for merchants to patch their installations.

The flaws made unpatched Magento shops vulnerable to carding malware, and miscreants flinging the Magecart card-slurping variant, among others, took full advantage in the months and years after. Dutch developer Willem de Groot found in October of the same year that hackers had installed skimming scripts on more than 6,000 online stores running vulnerable versions of Magento, and as recently as November last year, toff tat bazaar Sotheby’s Home was struck. It is not known if this is how the Garmin data was snaffled, and we’ve asked the firm to clarify. Readers who use Magento can make sure their systems are patched as per the recommendations from the Magento Security Center here.

We’ve asked Garmin South Africa about the extent of the breach, its storage and encryption of payment data, and how it intended to protect its customers and will update if we hear more.

The South African arm is listed in Garmin US’s annual reports and on its website as a subsidiary, though the sales data is not broken down into countries. Garmin hauled in total revenue of $3.34bn in fiscal ’18 (PDF), ended December 29, $1.2bn of which was attributable to the EMEA region. Its operating income for the year was $778m, 14 per cent growth over the prior year’s $683m.

The breach notice did contain an apology along with the expected bit about taking data protection “seriously” along with a piece of advice. “We recommend that you review and monitor your payment card records to make sure there were no unauthorized purchases.”

Quite. ®