Menu
Browse

Cyber Incident Victim: 1-800-FLOWERS

Date:

Aug 2014

Location:

Canada

Summary

The Canadian division of 1-800-FLOWERS experienced a multi-year breach compromising customer payment card information, including names, card numbers, expiration dates, and security codes, through its e-commerce platform. Unauthorized access was confirmed following alerts about suspicious activity, prompting the company to redesign its website and implement enhanced security measures while coordinating with payment card networks. The incident exclusively affected the Canadian operation, with no impact on U.S.-based transactions.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 1 motive 1 technique
Threat Actors Type Location
0 actors Available to members Available to members

Description

The Canadian retail operations of 1-800-FLOWERS, operated by 1873349 Ontario, Inc., experienced a sustained data breach affecting customers who made purchases through www.1800Flowers.ca between August 15, 2014, and September 15, 2018. Unauthorized actors gained access to payment card data during this four-year period, with the intrusion confirmed by the company’s security team on October 30, 2018, following alerts about suspicious website activity. Exposed information included customer names, payment card numbers, card expiration dates, and security codes (CVV/CVC). The company filed a breach notification with the California attorney general’s office on November 30, 2018, explicitly confirming the compromise of card security codes—a detail that heightened risks of fraudulent transactions. No evidence suggested U.S.-based transactions through 1800Flowers.com were impacted.

Cyber Incident Image

1873349 Ontario, Inc., initiated containment by redesigning the Canadian website and implementing unspecified additional security measures to prevent recurrence. The company coordinated with payment card networks to ensure issuing banks and card providers were notified of exposed accounts. The breach notification letter emphasized these technical and procedural changes but did not disclose forensic details about the intrusion method, attacker identity, or total affected individuals. Customer-facing communications focused exclusively on payment card risks, with no mention of non-financial data exposure or downstream fraud incidents linked to the breach. The four-year exposure window indicated persistent undetected access prior to the October 2018 discovery.

Sources
Sources available to members
1 source