Hackers have stolen the card details of thousands of customers buying flowers for loved ones over the busy festive period from UK commerce site the Great British Florist.
The firm says it was alerted to the breach on 30 January, after cards keyed in by customers shopping at the site started appearing in a rash of fraudulent payments.
In a letter sent to affected customers, the Great British Florist says: "Previously we found a piece of malware and removed it on the 5th December and believed this would solve the whole situation. We notified everyone that could have been affected at that time, but unfortunately we believe we have been the victim of a very sophisticated cyber-crime which means that we now have some evidence that the hackers have managed to re-infect our website between 6th December 2018 until 31st January 2019."
After further inquiries from Finextra, the firm says that as it doesn't hold credit card details on site, the most likely way security was breached is that "as you enter your payment details they scraped that as it went to the payment gateway".
The attack bears all the hallmarks of the massive digital credit card-skimming campaign orchestrated by the threat group Magecart, which is believed to have affected over 800 e-commerce sites around the world, including most prominently Ticketmaster last year.
Like physical skimmers that criminals hide in compromised POS machines, gas pumps, and ATMs, digital card skimmers steal credit card data from unwitting customers via scripts injected into e-commerce websites to record the credit card data they enter into online payment forms.
The Great British Florist says it has informed the Information Commissioners Office of the breach and put in place recommendations from forensic investigators to counteract future incursions.
Founder and MD Heather Gorringe says: “I’m really sorry that these criminals have caused our customers such inconvenience and hassle, and we thank them all for their support. I can assure you we have put in place every security measure available. The facts are pretty stark - 60% of small businesses who are attacked in this way go out of business within 6 months. Only 10% of us are insured and the policies are so ambiguous I suspect most are completely ineffective when called upon for support. We mustn’t let the criminals win."