Criminal hackers have struck again and stolen the personal data of 26,000 Debenhams Flowers customers, according to a company statement widely reported in the media.

Debenhams, one of the largest retailers in the UK, has taken the responsible step of alerting customers of Debenhams Flowers that they have suffered a cyberattack. Despite the name, Debenhams Flowers is a service and website run by Debenhams’ e-commerce partner Ecomnova.

Several customers have taken to social media complaining that it has taken the company several days to send the notification. The breach happened between 24 February and 11 April and was reportedly discovered on the 29 April.

The delay could have been at the request of law enforcement, as when a company realizes it has been subject to a breach it may be beneficial not to let the cybercriminals know that they have been rumbled, and so that evidence collection can start. If the cybercriminals are still accessing the system this can be crucial to securing a conviction later on.

Here is the statement that Debenhams issued, and one customer's reaction on Twitter:

The personal data stolen includes, but is not limited to, credit card information, names, addresses, email addresses, and Debenhams Flowers account passwords, so precautions to limit the damage should be taken.

Here‘s the advice from Debenhams:

  • You should notify your bank or credit card supplier  and request that the payment card that you used on the Debenhams Flowers website between 24 February and 11 April 2017 is blocked and a new card is sent, to minimize any risk of fraud
  • Check for suspicious or unexpected activity on that account
  • Be suspicious of any unsolicited emails, calls or texts, even if appearing to be from a company you know. Do not open email attachments, click through onto links or disclose any financial or personal details on a cold call
  • If you suspect that you have been the victim of fraud, you should contact Action Fraud
  • Ensure that your software, including anti-virus software, is up to date
  • Reset your password for any accounts where you use the same password for Debenhams Flowers. Set a secure password that includes capital letters and numbers

While the advice is sound I would add the following:

  • When resetting passwords, wherever possible turn on two- or multi-factor authentication to increase your security level significantly.
  • Consider signing up to an identity protection service, such as Experian or Equifax, which provides active monitoring of your credit report and has experts on hand to assist you. If there is a cost involved I would ask Debenhams to contribute.
  • Get more than one email account: if the cybercriminals have access to the account you use for banking or password resets then they have control. Having a second account can help you keep control.

The most important thing to do  is something rather than nothing — don’t read this and think "It will not affect me" — take pro-active steps to secure your identity and credit cards.

Tony Anscombe, ESET Global Security Evangelist & Industry Ambassador