Debenhams warns flower-buying customers after website hacked for over six weeks

Passwords and payment card details could now be in the hands of online criminals.

Debenhams warns flower-buying customers after website hacked

British high street retailer Debenhams has warned that the company which owns and operates its flower delivery website has been hacked, potentially exposing the personal information of up to 26,000 customers.

According to an email sent by Debenhams to affected customers, hackers had access to sensitive information on the Debenhams Flowers website for over six weeks – and stole personal information including payment card details, as well as customers’ names, addresses, email addresses and passwords.

Debenhams email

Sign up to our free newsletter.
Security news, advice, and tips.

I am writing to you as a precaution following confirmation on 29th April that our Debenhams Flowers supplier, Ecomnova, a company that owns and operates flower and gifting websites, has experienced a cyber attack.

The attack took place between 24th February and 11th April 2017. Records indicate that your data may be among that which has been accessed or stolen. We are writing to let you know of this risk to you and to advise you of the action you should take to protect your data in light of this attack.

As soon as we were notified about the incident we instructed Ecomnova to suspend the Debenhams Flowers site until further notice. Please note that Debenhams Flowers is completely separate from the Debenhams.com website, which has not been affected in any way.

There is no mention in the email as to whether Ecomnova, the company which was running the Debenhams Flowers site, was salting and hashing customers’ passwords – which is hardly comforting.

In a press statement, Debenhams apologised to affected customers, and said that anyone suspecting that they had been the victim of fraud should contact their band directly and report the incident to Action Fraud.

In addition, it would be wise for any user of the site to ensure that they are not using the same password anywhere else on the internet, and stop reusing passwords. You should use a unique password for every website you log into. Otherwise, one of the first things that a hacker will do after grabbing your credentials in a data breach like this is attempt to use them against other sites (such as your email account).

And as for the Debenhams Flowers website? Well, as of right now, it appears that Debenhams has pulled the plug.

Debenhams flowers website down

No flowers please.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

One comment on “Debenhams warns flower-buying customers after website hacked for over six weeks”

  1. Ravinder Jamgotre

    Thank you Graham. just shows how protecting data at rest and transition is vital.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.