Affected customers have all reportedly been notified.
By their bank saying they are overdrawn and why did they transfer all their money to Romania?
At least they had a few old five pound notes in their jacket pocket. Oh wait....
Malware has infected backend systems used by Brit high street chain Debenhams – and swiped 26,000 people's personal information in the process. The cyber-break-in targeted the online portal for the retailer's florist arm, Debenhams Flowers. Miscreants had access to the internal systems at Ecomnova, the biz that runs the …
There are going to be some nasty shocks when the fines start to build up.
Lets wait and see if serious fines get levied before being that confident. I suspect we'll see a continuation of the current trend: Public sector fining itself, SMEs taking a pounding, wilful fraudsters evading their fines, and big companies getting fines amounting to peanuts. TalkTalk will be hoping so,
Especially when companies begin to realise that under GDPR they can be fined for breaches upstream or downstream so best start looking at all those 3rd parties who are collecting data on your behalf and those you are supplying data to.
Regardless as Debenhams are finding out, its their brand that is going to hit regardless of where the breach occurred.
"Often it is believed that if third-party suppliers and contractors are compliant to one security standard or another, they can be trusted with sensitive data. But being compliant at one point in time is not a true indication of security posture, as it doesn't take into account any changes in the company's infrastructure or advancements in attack techniques"
In the real world, compliant is as much use as use toiletpaper. Do you have any ideas as to the ecommerce platform Debenhams runs on and the technical nature of the attack?
This post has been deleted by its author
A year ago Magento project I was involved with was also affected by similar hack.
It could be a JS payload that sits on checkout page and sends ajax requests to preuploaded php file that transmits data to external server via cURL.
So it doesn't matter if you store payment data or not, this would not protect your customers if you have any third party scripts sitting on your checkout.
I bought from Debenhams Flowers on one occasion. I used an email address unique to that site when I registered.
I received a phishing email to that unique address. I attempted to alert Debenhams Flowers to the clear fact that they had leaked my email address. They wore me down ignoring me.
So they leak people's data and they don't care.