This attack re-enforces the fact that attackers are increasingly targeting any organization that may have personal details either to use directly, or to reuse in attack against other sites. It is similar in vein to the attacks a few months ago against Deliveroo, and Camelot (the national lottery).
It is essential that companies enforce strong threat detection controls so that any attacks can be quickly identified and responded to. In this case, Debenhams had outsourced the operation to a third-party supplier. In this case, it should have vetted the third-party beforehand and ensured it had adequate security controls in place.
A cyberattack has compromised the personal data of up to 26,000 Debenhams customers. The breach, which is understood to have been malware-based, targeted the online portal for the retailer's florist arm, Debenhams Flowers. Debenhams has stressed that the site is operated by Ecomnova, a third-party supplier, and that customers of other services have not been affected. Ecomnova also operates Debenhams' websites for hampers, personalised gifts and wines. While all four sites have been suspended, the retailer has not announced whether the others were also breached. Debenhams confirmed to Sky News that customer payment details, names and addresses were accessed or stolen during the attack.