British high street retailer Debenhams has warned that the company which owns and operates its flower delivery website has been hacked, potentially exposing the personal information of up to 26,000 customers.
According to an email sent by Debenhams to affected customers, hackers had access to sensitive information on the Debenhams Flowers website for over six weeks – and stole personal information including payment card details, as well as customers’ names, addresses, email addresses and passwords.
I am writing to you as a precaution following confirmation on 29th April that our Debenhams Flowers supplier, Ecomnova, a company that owns and operates flower and gifting websites, has experienced a cyber attack.
The attack took place between 24th February and 11th April 2017. Records indicate that your data may be among that which has been accessed or stolen. We are writing to let you know of this risk to you and to advise you of the action you should take to protect your data in light of this attack.
As soon as we were notified about the incident we instructed Ecomnova to suspend the Debenhams Flowers site until further notice. Please note that Debenhams Flowers is completely separate from the Debenhams.com website, which has not been affected in any way.
There is no mention in the email as to whether Ecomnova, the company which was running the Debenhams Flowers site, was salting and hashing customers’ passwords – which is hardly comforting.
In a press statement, Debenhams apologised to affected customers, and said that anyone suspecting that they had been the victim of fraud should contact their band directly and report the incident to Action Fraud.
In addition, it would be wise for any user of the site to ensure that they are not using the same password anywhere else on the internet, and stop reusing passwords. You should use a unique password for every website you log into. Otherwise, one of the first things that a hacker will do after grabbing your credentials in a data breach like this is attempt to use them against other sites (such as your email account).
And as for the Debenhams Flowers website? Well, as of right now, it appears that Debenhams has pulled the plug.
No flowers please.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
One comment on “Debenhams warns flower-buying customers after website hacked for over six weeks”
Thank you Graham. just shows how protecting data at rest and transition is vital.