Fota Wildlife Park, in County Cork, Ireland, has been forced to advise customers to cancel their payment cards following a cyber-attack.
The attraction is warning customers who carried out “financial transactions on our website” between 12 May and 27 August 2024, to cancel their debit or credit cards via their bank.
The park says it has contacted all affected users. In an email seen by Irish broadcaster RTE, users with accounts on the Fota website were advised that their username, password and email address “might have been accessed.”
The email went on to advise customers to cancel any payment cards used to make payments on Fota’s website, and to check their bank and card statements for suspicious transactions.
The advice only applies to online transactions. Fota Wildlife Park stated that visitors who bought tickets or made other purchases in the park itself do not need to cancel their cards. The park is open for visitors as normal.
However, anyone who reused their Fota website password for other accounts should also change those. The park has set up a phoneline for anyone affected.
The cyber-attack appears to have been detected late last week, with Fota initially taking its website offline. The park has removed access to all its online accounts and brought in forensic cybersecurity experts. Fota has also notified Ireland’s Data Protection Commission (DPC) and the Gardaí (police).
The cyber-attack was uncovered at a busy period for the park, at the end of the school holidays.
The exact number of people affected by the breach have not been disclosed. However, a similar attack against Oregon Zoo, discovered last month, might have compromised the payment card details of almost 120,000 customers. This was the result of an attack against a third-party vendor that processed online ticket purchases for the zoo.
Commenting on the Fota incident, Ryan McConechy, CTO at managed cybersecurity provider Barrier Networks, said: “It’s not yet clear what incident has taken place, but based on the information available, it sounds like an unauthorized intruder has gained access to the park’s network and been able to access customer bank information."
“This could also suggest the data was stored in plain text, which would be very concerning. Organizations should learn from this incident that there is no immunity in the cybercrime world.”