The company discovered on 8 May that its database had been breached and customer details copied but it has not revealed exactly when the breach is thought to have occurred.
It blames an “industry-wide software weakness” but declined to specify which software was involved.
Bettys & Taylors notified customers yesterday via an email from director Paul Cogan, who promised to follow it up with a letter by post for those customers for whom it has a postal address.
It has also created a mini-site which contains additional information about the breach including a lengthy section on Frequently Asked Questions (FAQs).
A spokesperson told SCMagazineUK.com that it has also shared information about the breach with the Information Commissioner.
This is the first time the website has been hacked, she said.
The actions taken by Bettys & Taylor stand in contrast to the lack of information for customers of Jamie Oliver's website following news that it had suffered a third malware infestation.
According to the Bettys & Taylors' spokesperson, the data breach involved all of its registered online customers – 122,000 names. “For the vast majority of customers on our data base, the data copied is limited to name, email address and encrypted password,” she said.
The severity of the breach was less than it could have been because credit card details are not stored on the server but kept by a certified third party, the company stated.
It didn't reveal how many customers had contacted it since the breach was announced but said it was doing everything possible to inform customers about the breach and advise them about the potential security implications.
In its FAQ, it advises customers to change their Bettys.co.uk password and, if they use the same password on other sites, to change those passwords as well.
It has also advised customers to be on guard for phishing emails.
“Our security advisers tell us that most of this kind of information is also publicly available and, therefore, the attack shouldn't have increased anyone's immediate risk of ID theft. However, customers should be aware that the people who have obtained this information may use it to contact you and try and obtain other personal information including bank or credit card details – this practice is sometimes referred to as ‘phishing'.
“In addition, the people who have obtained our customers' encrypted passwords may be able to decrypt them and use them on other websites (if customers use the same password in more than one place). That's why we're asking customers to change their password on www.bettys.co.uk and, if they use the same password elsewhere, change it on that site too. ”
At this point, it's difficult to tell what impact the breach will have on the business.
“Our priority has been addressing the issue, reaching out to customers and informing the relevant data protection authority (Information Commissioner's Office),” the spokesperson said. “The welfare and security of our customers is a priority for Bettys and we have already implemented additional security measures to protect all our customer details from further risk. Clearly, in the light of this we're reviewing our wider security measures too.”
An ICO spokesperson told SC, “We have recently been informed of a possible data breach involving Bettys and are currently looking into the details.”
Commenting on the breach in an email to SC, independent cyber-security consultant Dr Jessica Barker said, “This breach really highlights that any company, even small, placid ones, can be the target of cyber criminals and the victim of a breach. However, Betty's should be praised for their clear response, which apologises to customers and offers guidance on what to do next and where to go for further information.”