14 DAY TRIAL // Personal data of up to 26,000 people was exposed due to a data breach affecting customers of Debenhams Flowers, the retailer's florist arm.
According to Debenhams, the site is actually operated by Ecomnova, which is a third-party supplier. Therefore, customers of other services it provides have not been affected in any way.
On the other hand, Ecomnova also handles Debenhams' websites for hampers, wines and personalized gifts. All four sites have been suspended, but the company has not shared whether the others were also victims of the breach.
The data stolen by the attackers includes payment details, names and addresses, which is most worrisome. Debenhams has reportedly already been in contact with all affected customers, informing them of the situation.
"We are working with Ecomnova to ask the banks f those affected to block payment cards of those customers affected and issue customers with new cards," the company told Sky News.
A need for proper vetting of third-parties
“This attack re-enforces the fact that attackers are increasingly targeting any organization that may have personal details either to use directly, or to reuse in attack against other sites. It is similar in vein to the attacks a few months ago against Deliveroo, and Camelot (the national lottery)," said Javvad Malik, Security Advocate at AlienVault. He adds that it is essential for companies to enforce strong threat detection controls so that any attacks can be quickly identified and handled.
Ajay Uggirala, Director at Imperva, added that in their experience, all businesses are under attack, splitting between companies that have been breached and those that have yet to be breached. "This breach highlights the necessity for strong vetting procedures when taking on third-party suppliers. Your company’s security is only as strong as that of your suppliers," he said.
Affected customers are advised to be wary of phishing attacks targeting their email addresses in order to gather even more data. Furthermore, keeping an eye on bank statements is also essential at this point in time.
Anton Grashion, managing director security practice at Cylance, is also of the opinion that it is essential for companies to evaluate information security risk when choosing and onboarding a vendor, as well as outline minimum security practices and stipulate liability in agreements with those organizations.