Cyber Incident Victim: Touchnote

On November 4, 2015, U.K.-based online photo postcard service Touchnote confirmed it had fallen victim to a criminal cyberattack compromising customer data. The breach exposed registered users' names, email addresses, postal addresses, and order histories, with a small number of birthdates also accessed. While the company emphasized that no full financial details were compromised—as it only retained the last four digits of payment cards—the theft created significant privacy risks. Touchnote did not disclose the exact number of affected customers, leaving the breach's full scope undefined. Attackers obtained information that could facilitate identity fraud, though the specific intrusion methods remained unconfirmed at the time of disclosure. The company initiated internal reviews of its security protocols and infrastructure upgrades following the incident's discovery.

Touchnote notified the U.K. National Cyber Crime Unit and began contacting registered users within two days of confirming the breach. Customers received direct communications instructing them to reset their account passwords as a precautionary measure. The company warned that criminals might leverage stolen data for identity fraud attempts, advising vigilance against unsolicited requests for personal information or banking details. No evidence suggested misuse of exposed data at the time of notification, but the combination of postal addresses, names, and order histories heightened phishing risks. System updates and security reviews formed the core of Touchnote's containment strategy, though technical specifics of the attack vector and duration of unauthorized access were not publicly detailed. The incident underscored operational vulnerabilities in handling non-financial but personally identifiable customer data within digital postcard services.