Toronto- and Guelph-based Well.ca, an online portal for health goods, groceries and beauty products, has suffered a security breach that exposed the credit card info and billing addresses of thousands of its customers.
In an email to customers today, the company reported, “It was recently brought to our attention that one of our service providers was illegally compromised between December 22, 2013 and January 7, 2014, and that as a result the credit card information from a small group of Well.ca customers may have been obtained. Unfortunately, your name and billing address, credit card number, credit card expiry date and the CVV code which you supplied to Well.ca during this time period may have been part of the information that could have been obtained.”
According to CEO Rebecca McKillican, one of Well.ca’s database providers was infiltrated and a script installed to intercept the financial details of customers both signing up for the service and existing customers updating their credit card information. Though news of the breach comes over a month after the data was taken, McKillican says the company only learned about it in the past couple of weeks, and has since then been working with the provider to figure out what happened. A few thousand customers were affected, according to McKillican, though Well.ca advises all customers to scrutinize credit card bills from the affected period and to contact their bank if any entries appear fraudulent.
The company has yet to publicly acknowledge the breach, but has been fielding calls and emails from concerned customers affected by the disruption. McKillican is planning to update all social media channels in the coming hours with a fuller explanation as to what happened.
Well.ca, which began as a small pharmacy in 2008, has raised over $8.6 million, according to Crunchbase, with Series rounds from Extreme Venture Partners, iNovia, Thunder Road Capital and more. It was founded by Ali Asaria, formerly of Microsoft and Research in Motion. McKillican took over as CEO in early 2013 after the company raised a $5 round from iNovia and others.
This is the second high-profile breach in the last week. On Wednesday, Kickstarter emailed its customers to inform them that a hacker gained access to their password database.
Well.ca’s CEO appears contrite, saying she is “extremely sorry” that this happened, and that she puts “transparency, honesty and integrity” at the top of its customer service dealings.