Yesterday beginning at around 20:00 BST an email was sent to current customers claiming to be from us and offering cashback on a previous order, which came to our attention at 20:30 BST. This email was not genuine and formed part of a ‘phishing’ scam, where the fraudulent sender attempts to obtain your bank details by asking you to click on a link. It soon became clear that customer data relating to historic orders had been compromised to conduct this attack. We have worked since then with our cyber security team to understand where this breach occurred and after further analysis are confident that the data was accessed from one of our third party provider’s systems which sits outside of our own systems and we believe this took place within the last few weeks since the scam website was created on the 25th June 2021.
When you place an order with us we send out a confirmation email which contains essential information to enable us to fulfil the order and which includes a limited amount of personal data - namely your e-mail and shipping addresses. The confirmation email also includes other information such as each individual order ID and the total amount of each order and these were also obtained and used to create a look of authenticity. Importantly the compromised information did not include any password details nor any payment information (which we never store on our systems).
Firstly, we just want to stress how sorry we are for this incident and the inconvenience caused. Without the loyalty of our customers we wouldn’t exist and we have let you down. We accept that this is a huge mistake on our part and are reviewing our systems, procedures and providers to ensure that improvements are made and lessons are learned and this never happens again.
We are working to assist customers with this issue, however as we said earlier, if you have received the phishing email referred to above or receive any further associated phishing emails using your details please remain vigilant and do not click on any links unless you are sure you trust where they originated from. If you have accessed any link already and provided card details we urge you to contact your card provider and cancel the card immediately and please also contact us directly by email at firstname.lastname@example.org if you have any further concerns.
Earlier today we filed reports with the Action Fraud Police Cyber Crimes and Information Commissioner's Office respectively and we are working hard to get to the bottom of this scam website with a view to shutting it down, but appreciate this could take some time. We will provide further updates once we are able to provide further details on progress.
Our sincerest apologies,