On 19 August 2021, Direct Clothing Co. (UK) Limited (DCCUK) were contacted by a customer who advised that their payment card had been defrauded after using DCCUK’s website. An investigation by DCCUK found that a malicious code had been introduced to the website which allowed an unknown third party to obtain the payment card details of website customers.
The third party obtained access to DCCUK’s environment via a WordPress vulnerability, although the specific vulnerability could not be determined due to the number of vulnerabilities present at the time of the incident. DCCUK believed that a third party IT provider was responsible for the security and maintenance of the affected website, however, this was not the case.