Funky Pigeon Halts Online Orders After Cyberattack

Funky Pigeon has suspended online orders after it suffered a cyberattack last week, and is still assessing how much damage has been caused.

The online greeting card company made no public statement about the security breach on either its website or official Twitter account as of 2pm Tuesday, but according to the Guardian newspaper, it is writing to all customers over the past 12 months to inform them of the hack.

The WH Smith-owned company however said that no payment data was at risk and it did not believe account passwords had been affected.

Funky pigeon hack

WH Smith itself in 2015 suffered a serious privacy mishap, after a misconfigured web page triggered a mass email to its entire mailing list.

But now it subsidiary unit has suffered an actual cyberattack, and is not taking any more online orders.

“As soon as we discovered the incident last Thursday, we launched a forensic investigation led by external experts to understand the incident and whether there has been any impact on customer data,” the Guardian quoted Funky Pigeon as saying in a statement.

“We are currently investigating the extent to which any personal data – specifically names, addresses, email addresses and personalised card and gift designs – has been accessed,” it reportedly said.

“We take the security of customer data extremely seriously and we have temporarily suspended any new orders via the website.”

Funky Pigeon has reportedly informed the Information Commissioners Office (ICO) and law enforcement about the breach.

“We would like to sincerely apologise to our customers for any concern or disruption this may cause, and reassure them that our teams are working around the clock to investigate and resolve this incident,” the company was quoted by the Guardian as saying.

“As our investigation progresses, we will provide further updates to customers and other affected parties as necessary.”

The Guardian pointed out that the Funky Pigeon hack comes two weeks after another UK retailer, The Works, was forced to shut some of its stores and halt stock deliveries to its shops after a cyber-attack.

Future risk

One security expert noted that while payment and password data has apparently not been compromised, there is a still a risk for customers going forward as other data such as names, email and addresses can be exploited.

“The cyberattack on Funky Pigeon is another example of the widespread impact cyberattacks can have on both businesses and customers. WH Smith confirmed that the attack on its greeting card subsidiary ahead of the Easter weekend had potentially put personal data at risk, and forced them to temporarily suspend orders on their website,” noted Justin Vaughan-Brown, VP of strategic communications at AI cybersecurity specialist Deep Instinct.

“Although Funky Pigeon has confirmed that they believe no customer payment data is at risk, personal data such as names, addresses and emails may have been accessed,” said Vaughan-Brown. “Unfortunately, stolen data usually ends up being sold on the dark web and can be used to commit further crimes such as fraud. It is an awful position for both the business and customers to be in- not knowing who has access to their personal data, and ultimately, what they could be using it for.”

“When organisations are breached by a cyberattack, security teams are under immense pressure to get their IT services back up and running as soon as possible, knowing that every minute offline is harming the business,” said Vaughan-Brown.

“On top of this stress, security teams have the constant fear of threat actors returning to the network to cause further harm, with a second attack potentially causing lasting and irreversible damage,” said Vaughan-Brown. “Organisations must, therefore, invest in security solutions that are proactive and preventative, rather than reactive, to ensure that cyberattacks are stopped before they damage an organisation’s network. ”