Chefs’ Toys Reports Data Breach Following Reports of Unauthorized Credit Card Activity

Richard Console, Jr.
Console and Associates, P.C.
Contact
LinkedIn
Facebook
X
Send
Embed

Recently, Chefs’ Toys confirmed that the company experienced a data breach after receiving reports by customers of unauthorized charges on their credit and debit cards used to make purchases on the Chefs’ Toys website. According to the Chefs’ Toys, the breach resulted in the names, credit card numbers and debit card numbers of certain customers being compromised. On June 24, 2022, Chefs’ Toys filed official notice of the breach and sent out data breach letters to all affected parties.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Chefs’ Toys data breach, please see our recent piece on the topic here.

What We Know About the Chefs’ Toys Data Breach

According to the most recently available information, on March 29, 2002, Chefs’ Toys started to receive reports of unauthorized payment card activity from customers who had made purchases on the company’s website, http://www.chefstoys.com. In response, Chefs’ Toys conducted an internal investigation but failed to identify any unauthorized activity.

However, the company also enlisted the assistance of outside cybersecurity professionals who detected a line of malicious code that was surreptitiously placed on the Chefs’ Toys online store. This malicious code was designed to capture customer data entered into the website, including credit and debit card numbers. It was subsequently determined that the unauthorized party had access to customers’ payment card information between November 12, 2021 and April 26, 2022.

Upon discovering that sensitive consumer data was accessible to an unauthorized party, Chefs’ Toys then reviewed the transactions that took place over this period. On May 31, 2022, the company completed this process, coming up with a list of affected parties.

On June 24, 2022, Chefs’ Toys sent out data breach letters to all individuals whose credit or debit card information was compromised as a result of the incident.

More Information About Chefs’ Toys

Founded in 1988 as a knife-sharpening company, Chefs’ Toys is currently a large restaurant equipment and supply company based in Fountain Valley, California. The company sells a wide range of equipment to commercial kitchens, including refrigerators and freezers, knives, cookware, cooking tools, serving ware and bar equipment. Chefs’ Toys also offers consulting services, including restaurant construction, kitchen design, and supply chain management solutions. Chefs’ Toys operates an online store as well as seven brick-and-mortar locations, including in Van Nuys, West LA, Torrance, Corona/Inland Empire, Anaheim, Fountain Valley and San Diego. Chefs’ Toys employs more than 116 people and generates approximately $22 million in annual revenue. Chefs’ Toys is a wholly-owned subsidiary of TriMark USA, a large restaurant supply company based in Mansfield, Massachusetts.

Data Scraping Attacks: How Hackers Obtain Credit Card Numbers from Online Stores

While Chefs’ Toys did not use the term “data scraping” to describe the recent data cyberattack, based on the company’s description of what led to the breach, it appears as though this is a classic example of a data scraping attack.

Data scraping refers to the process in which a person or company uses automated bots to extract information from a website. Data scraping is not necessarily used for nefarious purposes. In fact, search engines use data scraping when crawling a website to determine which sites are most relevant to a user’s search. However, hackers can use data scraping techniques in conjunction with malicious software to obtain credit and debit card information from customers who make a purchase at an online store. Hackers do this by surreptitiously placing a line of malicious code on the back end of the online store’s website.

When hackers target a website in a data scraping attack, the website looks and functions as it normally does. However, the malicious code transmits customers’ names and credit or debit card information to the hackers when customers put in their information to complete a purchase. In this way, data scraping attacks allow hackers to gather large amounts of financial data, which they can then sell or use to conduct identity theft.

While data scraping attacks are undetectable to consumers, organizations with robust data security measures can often detect these attacks, limiting hackers’ ability to obtain sensitive financial data belonging to customers.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Console and Associates, P.C. | Attorney Advertising

Written by:

Console and Associates, P.C.
Console and Associates, P.C.
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Console and Associates, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide