Gift card retailer Funky Pigeon has experienced a cyber-attack, leading the firm to temporarily suspend orders.
Funky Pigeon, which is owned by WHSmith, revealed it had taken its systems offline as a precaution, preventing it from fulfilling customer orders. The firm’s website currently carries the message: ‘Oops! We’re experiencing some issues and we can’t accept new orders at the moment. Please try again later!’
The retailer said it had informed regulators and law enforcement of the incident, which it is currently investigating with the help of external cybersecurity experts. However, it assured customers that no payment data was at risk and did not believe any account passwords were compromised.
In a statement, Funky Pigeon said: “As soon as we discovered the incident last Thursday, we launched a forensic investigation led by external experts to understand the incident and whether there has been any impact on customer data.
“We are currently investigating the extent to which any personal data – specifically names, addresses, email addresses and personalized card and gift designs – has been accessed. We take the security of customer data extremely seriously and we have temporarily suspended any new orders via the website.
“We would like to sincerely apologize to our customers for any concern or disruption this may cause, and reassure them that our teams are working around the clock to investigate and resolve this incident.
“As our investigation progresses, we will provide further updates to customers and other affected parties as necessary.”
The company added it would be writing to all customers from the past 12 months to inform them of the attack.
Retailers are becoming an increasingly enticing target for cyber-criminals following the significant shift to e-commerce during the COVID-19 pandemic. Earlier this month, UK retailer The Works was forced to close several stores and partially suspend its operations after a cyber-attack.
While there are limited details on the incident, including how much personal data was accessed by the attackers, cybersecurity experts have warned Funky Pigeon customers to be extra vigilant for social engineering attacks in the coming weeks and months.
Justin Vaughan-Brown, VP of strategic communications at Deep Instinct, commented: “Although Funky Pigeon has confirmed that they believe no customer payment data is at risk, personal data such as names, addresses and emails may have been accessed. Unfortunately, stolen data usually ends up being sold on the dark web and can be used to commit further crimes such as fraud. It is an awful position for both the business and customers to be in – not knowing who has access to their personal data, and ultimately, what they could be using it for.”
Dominic Trott, UK product manager at Orange Cyberdefense, added: “While Funky Pigeon and its owner WHSmith have released a statement saying that no customer payment data has been breached, that doesn’t mean it’s in the clear yet. Consumers are becoming increasingly aware of the risk of cybercrime as it rises higher on the mainstream news agenda, so the incident could still have an impact on the company’s reputation and its consumers’ willingness to spend.
“While the company has taken necessary steps since the breach – such as reporting the incident to regulations and law enforcement, informing those whose data may have been put at risk and taking its systems offline – it’s vital that it mitigates further and future damage. As a company that handles both sensitive payment data and personal information such as passwords, birthdays and addresses, Funky Pigeon must therefore have a comprehensive multi-layered approach to security.”