• Breach reported to Information Commissioner
  • Third-party provider was hit
  • Debenhams’ main site said to be unaffected

Debenhams has revealed that up to 26,000 customers of its Flowers website have been hit by a cyber attack on their personal data.

Shoppers’ payment details, names and addresses were put at risk by the hackers, who targeted third-party ecommerce provider Ecomnova, it was reported.

Debenhams said it had contacted customers affected.

Customers at Debenhams.com, the department store group’s main and separate website, were not thought to have been affected.

The cyber-raid occurred between February 24 and April 11.

Debenhams said: “Our communication to affected customers includes detailing steps that we have taken and steps that those customers should take.

New chief executive Sergio Bucher, who formerly worked for online giant Amazon, said: “As soon as we were informed that there had been a cyber-attack, we suspended the Debenhams Flowers website and commenced a full investigation.

“We are very sorry that customers have been affected by this incident and we are doing everything we can to provide advice to affected customers and reduce their risk.”

The breach of security has been reported to the Information Commissioner’s Office.

Debenhams is not the only big-name retailer to have been hit by data issues.

Back in August 2015, Carphone Warehouse said that personal information on up to 2.4m customers may have been accessed by what is called “a sophisticated cyber-attack.”

Carphone Warehouse said at the time that the IT systems of a division that operates the OneStopPhoneShop.com, e2save.com and Mobiles.co.uk websites had been targeted in the attack, but it took “immediate action to secure these systems.”

In October that year, Marks & Spencer was forced to suspend its website after customers complained that they could see other people’s details when they logged in to their online accounts.

However the retailer insisted that its ecommerce platform had not been breached by hackers.

In the same month, more than 2,000 Morrisons staff said they were suing the grocer following security breach that saw their personal details posted online. 

Former Morrisons employee Andrew Skelton was jailed for eight years in July 2015 after he posted the bank, salary and National Insurance details of 100,000 Morrisons staff online.