Debenhams Flowers data breach affects 26,000 customers

Debenhams was hit by a malware attack earlier this month that compromised the personal data of up to 26,000 customers of its Flowers website.

The attack took place between 24 February and 11 April, targeting Ecomnova, a third-party operator that runs Debenhams Flowers and three other sites belonging to the retailer. The criminals behind the attack were able to access customers’ payment details, names and addresses.

In a statement, Debenhams said the incident only affected Debenhams Flowers, confirming that accounts remain secure.


The company’s chief executive, Sergio Bucher, told Sky News: “We are very sorry that customers have been affected by this incident and we are doing everything we can to provide advice to affected customers and reduce their risk”.

After discovering the breach, Debenhams suspended all Ecomnova-run websites, contacted affected customers and ordered a full investigation. As Bucher mentioned, the company is also working with Ecomnova to contact affected customers and advise them on what to do next. This has so far consisted of recommending they change their online banking passwords and monitor their bank balances.

The breach is another example of how third parties can expose well-known brands. Dr James Graves, chief executive at ZoneFox, said: “The Debenhams hack is a key reminder to businesses that the third-party vendors you partner [with] should be properly vetted to ensure they have secure systems in place”.

Thomas Fischer, threat researcher and security advocate at Digital Guardian, added: “The issue of supply chain security is a complex matter. Many organisations assume that their business partners are secure, but don’t actually take steps to validate this.

“Often it is believed that if third-party suppliers and contractors are compliant to one security standard or another, they can be trusted with sensitive data. But being compliant at one point in time is not a true indication of security posture, as it doesn’t take into account any changes in the company’s infrastructure or advancements in attack techniques.”

Protect payment card data

As Fischer hinted, it’s vital for organisations to not only achieve compliance with security standards, but to review them on a regular basis. Any company that transmits, processes or stores cardholder data must comply with the Payment Card Industry Data Security Standard (PCI DSS).

If you want to review your PCI compliance posture, you should order IT Governance’s PCI DSS Gap Analysis service. A PCI consultant will review your in-scope systems and networks and provide you with a detailed report about the areas that need attention. You’ll also receive a plan to bridge the gap between your current security posture and full compliance with the Standard.

Find out more about our PCI DSS Gap Analysis service >>