Close on the heels of Quora’s data breach just two days ago, online florist 1-800-FLOWERS has announced that they have been subject to a data breach that has been going on for 4 years. The breach was of payment data including credit card number, expiration date, card security code, and the first and last name of the card holder. As many as 75,000 1-800-FLOWERS customers have been affected.
At this point 1-800-FLOWERS’ parent company, 1873349 Ontario, Inc., has said that the only customers potentially affected are its Canadian customers, who use the 1800FLOWERS.ca site, and not customers in the U.S. who use the 1800FLOWERS.com site.
According to ThreatPost, “The obvious culprit would be card-skimming malware, which raises the question of how it could be installed and active for that long without detection; however, a misconfiguration or a website vulnerability could also be to blame, which would better account for the long window,” meaning the four years it went undetected.
1-800-FLOWERS, and parent company Ontario have not specifically stated how many customers have been affected; it is LeaderPost that dug up the 75,000 customers figure.
In a copy of the letter sent to 1-800-FLOWERS customers potentially affected by the data breach, filed with the California Attorney General’s Office, as required by the state of California, Ontario, Inc. said that “Our security team was made aware of suspicious activity on the Canadian Website. We immediately began an investigation with the assistance of a leading computer security firm and disabled the website. On October 30, 2018, the investigation identified unauthorized access to payment card data from cards used to make purchases on the Canadian Website from August 15, 2014 to September 15, 2018.”
They go on to say that “Findings from the investigation suggest that the information collected included your first and last name, payment card number, expiration date, and card security code. We are notifying you because you may have placed an order on the Canadian Website between August 15, 2014 and September 15, 2018 using a payment card ending in (card number).”
Now, it’s entirely possible that in fact the data breach of 1-800-FLOWERS was limited to the Canadian version of the site (1800flowers.ca) and was not replicated on the U.S. site (1800flowers.com). Of course, it’s also entirely possible that they simply have not discovered a twin breach on the U.S. site (or yet announced it if they have).
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
Regardless, it’s a darned good idea to go over your credit card statements, and bank statements, every single month, if not more frequently, to ensure you have not had any fraudulent charges placed on your accounts.