IOTW: Cyber incident halts Funky Pigeon online orders

WHSmith subsidiary and online card retailer Funky Pigeon was forced to halt all online orders as it dealt with a cyber security incident which occurred on 14 April 2022.

Confirming the incident on 19 April WHSmith explained that Funky Pigeon temporarily suspended orders from its website and an investigation was being carried out regarding the detail of the incident with external, unspecified IT specialists.

Funky Pigeon confirmed it has isolated relevant systems and said its customer-facing website was not affected by the cyber security incident.

Customer data “not at risk”

The retailer said “no customer payment data, such as bank account or credit card details, has been placed at risk – all of this data is processed securely via accredited third parties and is securely encrypted”.

However, in a later email to customers on 20 April, Funky Pigeon said it was still investigating the extent to which any personal data, specifically names, addresses, e-mail addresses, telephone numbers and personalized card and gift designs had been accessed.

Become a Cyber Security Hub member and gain exclusive access to our upcoming digital events, industry reports and expert webinars

The company also does not believe that any customer account passwords have been placed at risk.

Outside of the statements issued, Funky Pidgeon has not revealed many details of the cyber incident.

Michael Stout, a UK-based contract CISO and cyber security consultant, said it looked to be a “straightforward data exfiltration attempt” where an attacker seeks to steal information from a system”.

“Whether this was a targeted or opportunistic attack remains unclear, and if it were successful, the stolen data would likely appear for sale on the Dark Web, used by organized crime, or by a state actor,” Stout explained.

“There is also the possibility that the hackers would attempt to ransom the information in exchange for not making the attack public.”

UK retailers being targeted

This is not the first time in recent weeks a UK-based retailer has been the target of a cyber-attack.
On 5 April 2022, discount retailer The Works confirmed it had been the victim of a cyber security incident involving unauthorized access to its computer systems.

“Online retailers continue to be targeted by hackers as they are public-facing and generally accessible worldwide. In addition, the nature of this type of attack can make it difficult to trace or prosecute,” said Stout .

The incident caused disruption to online orders and saw five physical stores close as a result of replenishment deliveries to the group’s stores being temporarily suspended. The company took its systems offline following the incident.

One commonality in both the Funky Pidgeon and The Works incidents is that both businesses took actions to take their systems offline while investigating the incident.

Stout remarked that this “indicated a concern with the overall security of their system design”.

“Offline, the investigators can complete a thorough system review, prevent further exploitation and preserve forensic evidence,” he added.

Getting mitigation tactics underway

To mitigate a data exfiltration attack there are a number of actions a system owner should follow which including keeping an up-to-date threat model and blacklisting IP addresses outside of their target market, Stout told CS Hub .

He pointed out that while blacklisting is not a security guarantee, it can reduce exposure to less sophisticated attacks.

“Ideally, at the earliest stage of system development, system designers working with information security professionals should create a threat model mapping the system design to technologies, vulnerabilities and threat actors,” Stout noted. “The threat model should be updated and reviewed with each system change and upon discovering new threats and vulnerabilities.”

“Having a threat model allows system owners to identify weak points in their systems, document areas of improvement, and in the case of a Funky Pigeon attack, understand where the attack took place and what aspects of the system were likely exploited by the cyber criminals,” he concluded.