Credit card stealing malware on Canada’s 1-800-FLOWERS website went undetected for four years

It’s going to take more than a bunch of posies to make up for this one.

The Canadian branch of 1-800-FLOWERS revealed in a filing with the California attorney general’s office that malware on its website had siphoned off customers’ credit cards over a four-year period.

Four years. Let that sink in.

The company said it believes the malware was scraping credit cards between August 15, 2014 to September 15, 2018, but that the company’s main 1-800-FLOWERS.com website was unaffected.

“Findings from the investigation suggest that the information collected included your first and last name, payment card number, expiration date, and card security code,” the filing said.

So, that’s everything that a scammer would need to rinse your credit card dry.

The notification didn’t say how many customers had their data stolen, but California state law says that any hacked company has to inform customers if more than 500 California residents are affected.

As bad as a four-year breach is at the best of times, bizarrely it’s only the second company to admit a security issue dating back to 2014. Marriott on Thursday revealed that 500 million guest reservation records were stolen by unnamed hackers over the four-year period.

You know what they say: Bad news comes in threes. Bets on who’s next?