article featured image


Cyberattacks did not skip the food retail industry in 2020. An Eggfree Cake Box data breach has been recently reported by the UK-based bakery chain itself that is popular for their fresh cream anniversary cakes. The online payments turned out to be insecure and the company’s website was hacked, as threat actors managed to steal customer data, respectively credit card numbers including CVV codes on the back of the card. The company discovered this security breach back in April 2020 and immediately made some investigations and took the necessary measures. However, the clients have just recently been informed in an e-mail notification about their private data being in danger.

egg free cake box store image

Image Source

Who Is Behind This Eggfree Cake Box Data Breach?

Supposedly, MageCart stands behind this cyberattack. MageCart is a group made of hackers who normally use the Magento System to perform a security breach and steal customer data. Their targets are shopping cart systems. This particular type of attack is related to suppliers and partners, so to your third-party providers. The threat actors corrupt a third-party software, that gives them access to vital information, including credit card numbers. This is usually called a supply chain attack.

How Does a MageCart Attack Work?

Basically, when you are redirected to the payment confirmation page after you paid for your product, you actually go to a page compromised with a malicious script known also as web shell. Then the malware follows in-line steps to act, according to Bleeping Computers: it monitors, transmits, gives access. Check-out pages are tracked, your credit card submitted information is sent to a remote website giving access to hackers to steal your payment info. The purpose: this data is either used for fraudulent transactions or sold on the black website market.

What Data Was Stolen?

As reported by Cel Solicitors’ Website, the Eggfree Cake Box data breach included customer private data such as e-mail addresses, first names, and surnames, postal address alongside payment information meaning credit card numbers together with 3-digit CVV security codes.

What Measures Have Been Taken?

Global Payments, the Cake Box’s payment processing provider from that time informed the baking company about an Eggfree Cake Box data breach back on April 27th, 2020.

The food retailer immediately started a massive investigation and determined that the system was compromised with malware. In an e-mail notification to customers, Sukh Chamdal, the company’s CEO, assured them that the needed measures were implemented:

In light of the incident, we have also taken various additional steps to further strengthen the security of our systems and the resilience of our business against similar attacks in the future, including upgrading our systems, implementing additional security measures, and ensuring our staff is alert to potentially fraudulent or unauthorized activity.


What Can Customers Do About This?

As stated in the company’s official notification, customers can:

  • Notify the bank about potentially stealing credit info
  • Replace card
  • Check their bank history starting April 2020
  • As a conventional security measure: they should pay attention and not fall victims to phishing e-mails that require financial info or login credentials.

The Eggfree Cake Box company was founded in 2008, starting with one small store. Their purpose was to extend on the UK market and make fresh anniversary egg-free cakes, providing on-demand services. Now the UK is home to 164 Cake Box stores.

Author Profile

Andra Andrioaie

Security Enthusiast

linkedin icon

Hi! My name is Andra and I am a passionate writer interested in a variety of topics. I am curious about the cybersecurity world and what I want to achieve through what I write is to keep you curious too!

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo