Purdys security breach puts information of thousands of online customers at risk
VANCOUVER — Vancouver-based Purdys Chocolatier has suffered a security breach of its database that has put the private information of thousands of online clients at risk.
In a notice of the data breach sent out Wednesday to clients — obtained by Postmedia News — company president Peter Higgins said Purdys was notified on Feb. 7 by one of its Internet service providers that its database, containing customers’ information, was the target of a security breach.
Higgins said Friday that roughly 12,000 Canadian and 1,500 U.S. buyers were affected by the breach and that both Purdys and the Internet company involved — Aptos, based in Georgia — have since taken strong measures to ensure it doesn’t happen again.
He also said there has been “zero” record of any fraudulent activity since the breach, but it was “awful that somebody was able to hack in.”
“We immediately made sure the credit-card companies were informed and the police were informed to minimize any harm to the customers,” Higgins said.
“There was no security code access, no email address exposed or user names exposed.”
He said clients weren’t informed until this week because Purdys was conducting its own investigation and didn’t have all the necessary information on hand.
In his note to clients, Higgins said Purdys was told by the service provider that “an unauthorized person remotely accessed its systems and that the intrusion began in approximately February 2016 and ended in approximately December 2016.”
Higgins added: “Upon this discovery, our service provider reported the incident to law enforcement in December 2016 and, at law enforcement’s request, delayed notice to us until February 2017. We note that Purdys began using this service provider in May 2016.”
Higgins said no fraudulent activity has been detected.
However, the service provider told Purdys that personal information including names, addresses, phone numbers, creditcard numbers and credit-card expiration dates might have been accessed.
He said no passwords were compromised and that credit-card information processed through PayPal was not accessed.
Higgins said the customers at risk represent a “cross-section” of customers who buy chocolates online.
“[The breach] was on the purdys.com site, not our shops or store locations or [the] fundraising business that happens online or the online group purchase program.”
He said the company is considering its options regarding its future with Aptos.
“It’s been our service provider since May 2016. We’re evaluating all of our options, but haven’t made our final decision [on whether or not to retain Aptos]. They haven’t had this problem before.”
Higgins said the person responsible for the security breach has not been identified.