Those buying flowers for Mother’s Day or looking to send a plant for a birthday could find their thoughtful gestures reaping a crop of misery: Payment card data has been lifted from the Canadian online outpost of 1-800-Flowers, in an incident that has persisted for four years.
The site’s operating company, Ontario Inc., filed a notice with the attorney general’s office in California in accordance with the Golden State’s data breach notification requirements. It said that its security team noticed suspicious activity, and upon investigation discovered in October that there had been unauthorized access to payment card data used to make purchases on the Canadian website.
The impacted data consisted of basic card info: First and last name, payment card number, expiration date and card security code.
The standout point here though is how long shoppers were affected: Ontario said that it thinks that the data exposure lasted from August 15, 2014 to September 15 of this year. The obvious culprit would be card-skimming malware, which raises the question of how it could be installed and active for that long without detection; however, a misconfiguration or a website vulnerability could also be to blame, which would better account for the long window.
Ontario didn’t say how many were impacted, but California’s law requires a notification if 500 or more state residents are affected. And, the Canadian Post reported that 75,000 Canadian orders were involved. A spokesperson characterized the issue as affecting “a small number of orders.” The main U.S. website was not affected.
“We take the security of our customers’ personal information very seriously,” Ontario said. “To help prevent a similar incident from occurring in the future, we have redesigned the Canadian website and implemented additional security measures. We are also working with the payment card networks so that banks and other entities that issue payment cards can be made aware.”
Threatpost will continue to update this developing story with any additional coverage.