UK: Bettys specialty foods notifies customers of data breach

From Bettys.co.uk, a notification of a breach they discovered on May 8. Frustratingly, they only say that it was due to an “industry-wide software weakness” without being more specific as to what they’re talking about. DataBreaches.net contacted Bettys to ask for more specifics, but they declined to answer, saying public disclosure would only encourage copycat attacks, and that they have shared information with the ICO. I think we all know the answer to that one.  Here’s their statement from their web site:

I’m sorry to have to tell you that the Bettys.co.uk website has been affected by a data breach. We are contacting you because you are on our website database and you will have been affected.

This data breach occurred due to an industry-wide software weakness, which allowed someone to illegally access the Bettys website database. Personal details (which could include names, email addresses, postal addresses, encrypted passwords and telephone numbers) were copied. We would like to stress that your credit or debit card details have not been copied as this information is stored on a completely separate system managed by a certified third party.

Bettys takes customer confidentiality extremely seriously and, whilst customer passwords were encrypted, it is important that you change your password as soon as possible by clicking this link or entering www.bettys.co.uk into your browser. On the homepage, click on the box next to the Bettys logo which reads ‘Want to change your password? Click here’. You will then be required to fill in your email address and will receive an email to reset your password. Alternatively you can log into your account and change your password directly from within ‘My Account’.

If you use the same password on other websites, please change those passwords too.
We would also advise you to treat any unsolicited phone or future email communication regarding your personal and financial information claiming to come from Bettys with extreme caution. To be clear, Bettys will never contact you and ask you to share any personal financial information.

If we have your postal address, we will be following up this email with a letter reiterating this advice. We are unable to take questions by reply to this email, but should you need further information, you can visit a website we have created specifically for this issue help.bettys.co.uk which will be updated with any new information. If you would like to speak with us you can contact us directly via our dedicated customer care line on
0800 368 3302 ​fr​om 9​a​m-8​p​m Mon​day to Fri​day | 9​a​m-5​p​m Satur​day and Sun​day
or +44 (0)1844 266 076 if you are calling from outside the UK.

More information about online password security is available at the UK Government’s online web security portal Get Safe Online.

We would like to reassure you that we have carried out a full investigation with our security partners. The issue has been addressed and further security measures have been put in place. The Bettys website is operating as normal and, once you have changed your password, you can place orders again with confidence.
Finally, we would like to apologise unreservedly for what has happened and thank you for your prompt action and understanding.

Sincerely,

Paul Cogan, Director, on behalf of Bettys

Update: Bettys did not answer this site’s question about how many customers were affected, but Harrowgate Advertiser reports that alerts were sent to 120,000 customers.

About the author: Dissent