[BreachExchange] Credit card stealing malware on Canada’s 1-800-FLOWERS website went undetected for four years

[Destry Winant]

https://techcrunch.com/2018/12/03/credit-card-stealing-malware-flowers-four-years/

It’s going to take more than a bunch of posies to make up for this one.

The Canadian branch of 1-800-FLOWERS  revealed in a filing with the
California attorney general’s office that malware on its website had
siphoned off customers’ credit cards over a four-year period.

Four years. Let that sink in.

The company said it believes the malware was scraping credit cards
between August 15, 2014 to September 15, 2018, but that the company’s
main 1-800-FLOWERS.com website was unaffected.

“Findings from the investigation suggest that the information
collected included your first and last name, payment card number,
expiration date, and card security code,” the filing said.

So, that’s everything that a scammer would need to rinse your credit card dry.

The notification didn’t say how many customers had their data stolen,
but California state law says that any hacked company has to inform
customers if more than 500 California residents are affected.

As bad as a four-year breach is at the best of times, bizarrely it’s
only the second company to admit a security issue dating back to 2014.
Marriott on Thursday revealed that 500 million guest reservation
records were stolen by unnamed hackers over the four-year period.

You know what they say: Bad news comes in threes. Bets on who’s next?