Debenhams said its Flowers website suffered a massive cyberattack compromising the personal and payment card details of up to 26,000 customers. The British retailer said hackers targeted Ecomnova, the third-party partner that operates Debenhams' flower and gifting websites.
The company said customers' names, addresses, email addresses and passwords and payment card details were potentially accessed or stolen in the attack. However, it noted that the incident only affected Debenhams Flowers customers and not customers of its main, separate Debenhams.com site. The breach, which took place between 24 February and 11 April, was reportedly discovered on 29 April.
"As soon as we were notified about the incident we instructed Ecomnova to suspend the Debenhams Flowers site until further notice," the retailer said.
Debenhams said it has contacted customers whose data may have been swiped in the attack and launched a full investigation into the attack.
"Our communication to affected customers includes detailing steps that we have taken and steps that those customers should take," the company said in a statement. "We are working with Ecomnova and all relevant authorities to investigate this attack and apologise to all customers affected."
However, many customers took to social media questioning why the company took several days to notify them about the breach.
The Information Commissioner's Office (ICO) has been notified of the data breach. The ICO previously fined TalkTalk a record £400,000 ($51,9320) following a massive "easy" data breach that saw the theft of nearly 157,000 customers' details. The hacker also accessed customers' bank account details and sort codes in another 15,600 cases.
Kaspersky Lab security researcher David Emm told IBTimes UK that it is crucial for businesses that handle users' sensitive data to employ multiple security solutions to safeguard their customers such as "running fully updated software, performing regular security audits on their website code and penetration testing their infrastructure."
While businesses should use secure hashing and salting algorithms to protect all passwords, Emm said customers should avoid using the same password across various platforms and online accounts.
"It's to be hoped that GDPR (General Data Protection Regulation), which comes into force in May 2018, will motivate firms to, firstly, take action to secure the customer data they hold, and secondly, to notify the ICO of breaches in a timely manner," Emm said.
Security firm Cylance's Anton Grashion said: "It's an unfortunate fact of life for security teams that an organisation's data is only as secure as the weakest link in the chain, which is often smaller third-party vendor organisations.
"It's absolutely critical to evaluate information security risk when choosing and onboarding a vendor, as well as to outline minimum security practices and stipulate liability in agreements with those organisations."