The online greetings cards and gifts site is owned by retailer WH Smith, and had sales of £54m last year.
The site has been unable to process new orders since 14 April.
Funky Pigeon has now updated its home page with clearer messaging about its inability to provide its usual services.
Previously, the site still allowed customers to create cards as normal, with the problem only becoming apparent at the payment stage, causing understandable frustration among customers who vented their annoyance on Funky Pigeon’s social media channels.
It has also updated its website with more fulsome information for customers concerned that their data may have been involved in the cyber security incident.
Funky Pigeon said it was contacting all customers that have used its services over the past 12 months.
“We take the security of customer data extremely seriously and we immediately launched a forensic investigation led by external experts to understand the incident and whether there has been any impact on customer data.
“These incidents are complex and resource intensive and any thorough investigation requires time to be comprehensive and accurate. We want to ensure that our customers are provided with accurate information,” it stated.
“We have taken our systems offline as a precaution, and we are currently unable to fulfil orders while we work to restore our services. While this effort is ongoing, we have temporarily suspended any new orders via the website.”
Funky Pigeon said that while its customer-facing website was not affected by the security incident, some orders that were placed just prior to the incident becoming apparent were not fulfilled as a result of its systems being taken offline.
@Thefunkypigeon is there no one decent enough to respond. Loyal customers are getting very upset now not know what is going on with their accounts.
— Kim 💙 (@kimbaksh) April 26, 2022
Funky Pigeon has also reiterated its belief that customer payment data had not been compromised.
“This investigation is ongoing, but at present we have no evidence that customer payment data, such as bank account or credit card details, has been placed at risk.
“The services impacted were not used to store customer financial card data. All of this data is processed securely via accredited third parties and is securely encrypted.”
However, digital law enforcement expert Chris Pogue, head of strategic alliances at data analytics specialist Nuix, said WH Smith had made a “textbook response to a data breach and shows that they don’t know if payment card data was taken”, or were waiting to inform their customers at a later date.
“In my opinion, the only reason for an online retailer to suspend orders is a payment card compromise, or a significant risk of continued data exfiltration, indicating that the incident has not yet been contained.
“Furthermore, although WH Smith has affirmed that customer payment data has not been compromised, this cannot be confirmed. Customer data being securely encrypted and processed via third-parties does not prevent other attacks, such as SQL injection or Webshells, giving plenty of opportunity for compromise before the payment processor even receives customer payment data.”
WH Smith had not made any further comment on the situation at the time of writing.
