Debenhams Flowers customers have had personal details that could include payment details and credit card information stolen in a 'cyber-attack', it was announced today.
Debenhams said the attack on Debenhams Flowers supplier Ecomnova which has affected up to 26,000 customers took place between 24 February and 11 April this year, but was only confirmed to have taken place on 29 April.
Debenhams says it has contacted all customers who may be affected today, to warn that their personal details may have been accessed or stolen.
The email, seen by MoneySavingExpert.com, reveals that credit card info and payment details could have been among the data stolen as well as personal information including names, addresses, email addresses and passwords.
Debenhams said it is too early to say if any money has been taken, but confirmed the issue only affects Debenhams Flowers customers, not users of the main Debenhams.com site.
Get Our Free Money Tips Email!
Debenhams Flowers customer? Check for suspicious transactions NOW
No actual financial losses have been confirmed yet but Debenhams is warning all customers who used their cards on the Debenhams Flowers website between 24 February and 11 April 2017 to block their card, and order a new one.
It’s also vital you check your credit cards and bank statements for any unusual transactions, and keep checking over the next few days for any transactions that may come through.
If you see something suspicious that hasn't been refunded, call Debenhams helpline on 0333 003 7068 or email firstname.lastname@example.org. Don't just assume it's been put right – check yourself.
"I want a full investigation"
One customer, Jasmine, who did not want to give her full name, contacted us about the breach and had many questions about how the hack could have happened.
She said: "I am a web developer by trade so this was particularly shocking for me.
"Luckily the card that I used has since been replaced. This does not mean I am less annoyed about how my data was being handled by the company.
"I want to know why they didn't take adequate steps to protect my data. I want a full investigation of the processes and decisions that led to this mess."
Another customer, who did not want to give his name, said: "I’m surprised it took them this long to contact customers with such potentially damaging financial details having been taken. The purchase I made was for Mothering Sunday, so there may be a huge swathe of info taken from new customers on such a busy day."
What action has Debenhams taken?
Debenhams emailed all affected customers this morning as a precaution informing them that “records indicate that your data may be among that which has been accessed or stolen” and advising customers to take action to protect their data in light of the attack.
Debenhams said that as soon as it was notified of the attack it told Ecomnova, which owns and operates the Debenhams Flowers site, to suspend it until further notice. Debenhams was notified about the breach on 29 April and began an investigation and only sent the email out to customers today because it took several days to confirm details of customers affected.
It has informed the Information Commissioner's Office (ICO) which is investigating and said it is working with Ecomnova to tell the banks of those affected to block payment cards, give customers new cards and has told Ecomnova to delete all passwords for Debenhams Flowers accounts.
An ICO spokesperson said: “Businesses and organisations are required under the Data Protection Act to keep people’s personal data safe and secure. We are aware of a potential incident involving Debenhams Flowers and we are making enquiries.”
What does Debenhams say?
The email to Debenhams Flowers customers said: "Debenhams takes the security of our customers’ data very seriously and we would like to reassure you that we have taken all reasonable precautions to protect your data. The investigation and resolution of this matter is of paramount importance to us.
"We are very sorry that this attack on our supplier has affected you."
Ecomnova has yet to comment.
How can I protect myself against online scams?
There have been a number of high-profile hacks reported in the last 12 months including at Tesco Bank and the National Lottery. Here are some basic tips on how to protect yourself:
- Have different passwords. Use a complex and unique password for every email, e-commerce website and social media outlet you are a member of and change it often. A password manager can help you keep track of all your passwords. See our 60-second guide to password security for more help.
- Be mindful of what you share on Facebook. Avoid posting personal information on social media or other public sites that could be used by fraudsters to decipher log in or password details.
- Keep track of your emails. Make sure you check your email on a regular basis to monitor for any password or email changes as well as unauthorised purchases.
- Don't hold bank info online. Avoid storing bank account details on sites you use to make purchases.
Meanwhile, a handy website for checking if your personal info has been compromised is HaveIBeenPwned? ('pwned' is geek-speak for being made a fool of, it's pronounced 'poned').