Magecart Delivers Malware to 1-800-FLOWERS
Once again payment card data has been lifted from an e-commerce site, with the Canadian online outpost of 1-800-FLOWERS falling victim to Magecart. What’s alarming about this most recent disclose, though, is that the incident has lasted for over four years.
In its notice of breach disclosure shared with California’s attorney general, the company clarified that the incident “may have involved your payment card information used to place an order on our website, www.1800Flowers.ca (the 'Canadian Website'). The incident did not involve orders placed on the 1800Flowers.com website.”
During the course of an ongoing investigation that began on October 30, 2018, intelligence revealed that an unauthorized user had access to payment card data from cards used to make purchases on the Canadian website from August 15, 2014, to September 15, 2018, according to the notice.
Since discovering the breach, 1800Flowers.ca said it has taken appropriate actions to help prevent future attacks. “We have redesigned the Canadian Website and implemented additional security measures. We are also working with the payment card networks so that banks and other entities that issue payment cards can be made aware.”
Over the course of those four years, the card-skimming malware lifted full names, payment card numbers, security codes and expiration dates. While the Canadian company has not disclosed the total number of affected customers, it did disclose the breach to the California attorney general’s office, indicating that more than 500 Californians were affected. The company reported $238.5 million in its fiscal 2018 third-quarter results.
“Payment card-skimming malware continues to be a security challenge for retailers around the globe,” said Stephan Chenette, co-founder and CTO, AttackIQ. “British Airways, Newegg, Kitronik and now 1-800-FLOWERS have all been victimized by this malware this year, highlighting the need for enterprises to proactively invest in continuous security validation through automated testing if they want to detect security flaws and gaps before adversaries find them.”
Source: Information Security Magazine