Malware has infected backend systems used by Brit high street chain Debenhams – and swiped 26,000 people's personal information in the process.
The cyber-break-in targeted the online portal for the retailer's florist arm, Debenhams Flowers. Miscreants had access to the internal systems at Ecomnova, the biz that runs the Debenhams Flowers business, for more than six weeks.
Customer payment details, names and addresses from between February 24 and April 11 were all potentially exposed as a result of the breach, reports ex-Register vulture Alex J Martin, who just flew off to Sky News. Affected customers have all reportedly been notified.
El Reg asked Debenhams for confirmation of the scope of the breach but we're yet to hear back at the time of writing.
Security tech slingers said the snafu shows how brands can be exposed through the infosec shortcomings of third-party suppliers.
"The hackers allegedly gained access to site operator Economova's systems using malicious software to access customers' personal and financial information," said Dr Jamie Graves, chief exec at ZoneFox. "The Debenhams hack is a key reminder to businesses that the third-party vendors you partner should be properly vetted to ensure they have secure systems in place."
Thomas Fischer, threat researcher and security advocate at Digital Guardian, added: "The issue of supply chain security is a complex matter. Many organisations assume that their business partners are secure, but don't actually take steps to validate this.
"Often it is believed that if third-party suppliers and contractors are compliant to one security standard or another, they can be trusted with sensitive data. But being compliant at one point in time is not a true indication of security posture, as it doesn't take into account any changes in the company's infrastructure or advancements in attack techniques," Fischer added. ®