Phytoplankton
Well-Known Member
For those that have ordered from Seedsman, from their website:
Seedsman Data Breach
Last updated on 21st June 2024.
What happened?
Cybercriminals recently hacked into Seedsman’s computer systems and stole some of our customers’ personal data.
We apologise for this and are working diligently to increase the security of our systems and protect our customers.
When did the breach occur and when did Seedsman discover it?
We believe the data breach occurred on or around April 3, 2024.
A handful of customers contacted us on May 31 after they had been notified by their security software. We immediately limited access to all our systems and began our investigation.
What information was taken?
An older customer database was accessed and stolen. The database contained user account details from May 2018 to December 2022 including:
Name
Email address
Address
Phone Number
Date of Birth.
Some customers had not provided all of this data, so the thieves did not have complete data for all records.
The following was NOT taken, and remains securely stored:
Payment records
Order records
Financial records.
We have notified by email all customers who were affected. If you have not received an email please check your spam and if you have concerns please feel free to get in touch.
What security did Seedsman have in place?
Without going into detail, I can say each PC used by team members continuously runs several security software programs and team members must use multi factor authentication to access email and other programs or systems. Our IT department uses best practices and a number of hardware and software to protect our system. We’ve further reinforced our protections since this cyber incident.
Why did it take so long for Seedsman to notify customers?
We responded as quickly and deliberately as possible once we learned a hacker broke into our system. We contacted our customers as soon as we had gathered all information on the breach, understood the level of the problem, double checked our security on other databases, and done our best to contain the issue. Because of the serious and sensitive nature of the data, we wanted to be sure that we had secured our systems and brought in outside cyber security experts before announcing the breach.
Are police involved? What authorities were notified?
The breach has been reported to the ICO in the UK, as is our legal obligation. We have no obligations in the EU or USA to report the breach given the type of data that was taken. We have taken legal advice in the UK, EU and USA and do not believe it is necessary or useful, at this stage, to report the issue to the police.
We continue researching the source of the hack and people responsible with a cyber security team, and will pursue legal charges when/if it becomes possible/necessary.
Will the company seek to press charges if the cyberthief is identified?
We will press charges if we can identify the person or people involved to help avoid this happening to others. If possible, we also want to remove this data from any websites or brokers who would attempt to sell or provide it to others.
What has Seedsman done to improve their security, since the breach?
When we became aware of the breach we immediately hired a cyber security company to advise us on improvements to our security protocols and to work with our team and our development partners.
We have updated and further strengthened security protocols for team members and contractors and increased security software on all team members’ computers as well as encrypting all archived data.
Is my data now safe with Seedsman?
We are following cyber security best practices and using independent outside cyber consultants to improve our security protocols. We believe our customers’ data is safe and will continue to conduct testing to further strengthen our systems’ security to prevent future breaches.
How do I know my data is safe?
Protecting our customers and their personal data is our priority. Outside cyber security experts have helped us identify areas that could be strengthened and we have addressed those areas. We also have modified our security protocols, added additional software and invested in additional IT improvements.
This breach is akin to a thief breaking into your home despite having strong locks on all of the doors and windows and stealing your valuables. We’ve installed new locks, an electronic security system, and added trained guard dogs inside and outside the house to prevent further incidents.
Can I get my data removed from Seedsman? How?
Yes, you can request for your personal data to be removed from our system at any stage. Contact our customer services team here.
We are obliged to keep some order data for financial regulations for 6 years in the UK, 4 years in the US and 5 years in the EU.
How do I know which data was taken?
If you would like to know what data about you has been taken - you can put in a data request by contacting us here. Please note you will need to contact us using the email registered with us.
How can I better protect myself?
There are various steps you can take to help better protect yourself from cyber crime. These include but are not limited to:
We have engaged with a respected independent cyber security company to advise us on best practices, and are following their advice.
All members of staff have received GDPR training, and we are stepping up cyber security training.
We also have increased security to all hardware and added additional security software. We also are conducting additional testing to detect any vulnerabilities that will subsequently be addressed.
As a company group we will be looking to attain ISO27001, an international Information Security Management System (ISMS) standard, that will ensure we are fully up to date with all aspects of cyber security and put this at the forefront of our business.
Update 21st June 2024
The investigation is still ongoing - once the Seedsman team have any news it will be posted here.
The Seedsman team are responding to personal data requests linked to the incident, and are deleting records and accounts when requested.
We would like to thank anyone who has got in touch for their support and understanding.
We have also spoken directly with a number of forum owners, to help answer any conerns or questions.
Seedsman Data Breach
Last updated on 21st June 2024.
What happened?
Cybercriminals recently hacked into Seedsman’s computer systems and stole some of our customers’ personal data.
We apologise for this and are working diligently to increase the security of our systems and protect our customers.
When did the breach occur and when did Seedsman discover it?
We believe the data breach occurred on or around April 3, 2024.
A handful of customers contacted us on May 31 after they had been notified by their security software. We immediately limited access to all our systems and began our investigation.
What information was taken?
An older customer database was accessed and stolen. The database contained user account details from May 2018 to December 2022 including:
Name
Email address
Address
Phone Number
Date of Birth.
Some customers had not provided all of this data, so the thieves did not have complete data for all records.
The following was NOT taken, and remains securely stored:
Payment records
Order records
Financial records.
We have notified by email all customers who were affected. If you have not received an email please check your spam and if you have concerns please feel free to get in touch.
What security did Seedsman have in place?
Without going into detail, I can say each PC used by team members continuously runs several security software programs and team members must use multi factor authentication to access email and other programs or systems. Our IT department uses best practices and a number of hardware and software to protect our system. We’ve further reinforced our protections since this cyber incident.
Why did it take so long for Seedsman to notify customers?
We responded as quickly and deliberately as possible once we learned a hacker broke into our system. We contacted our customers as soon as we had gathered all information on the breach, understood the level of the problem, double checked our security on other databases, and done our best to contain the issue. Because of the serious and sensitive nature of the data, we wanted to be sure that we had secured our systems and brought in outside cyber security experts before announcing the breach.
Are police involved? What authorities were notified?
The breach has been reported to the ICO in the UK, as is our legal obligation. We have no obligations in the EU or USA to report the breach given the type of data that was taken. We have taken legal advice in the UK, EU and USA and do not believe it is necessary or useful, at this stage, to report the issue to the police.
We continue researching the source of the hack and people responsible with a cyber security team, and will pursue legal charges when/if it becomes possible/necessary.
Will the company seek to press charges if the cyberthief is identified?
We will press charges if we can identify the person or people involved to help avoid this happening to others. If possible, we also want to remove this data from any websites or brokers who would attempt to sell or provide it to others.
What has Seedsman done to improve their security, since the breach?
When we became aware of the breach we immediately hired a cyber security company to advise us on improvements to our security protocols and to work with our team and our development partners.
We have updated and further strengthened security protocols for team members and contractors and increased security software on all team members’ computers as well as encrypting all archived data.
Is my data now safe with Seedsman?
We are following cyber security best practices and using independent outside cyber consultants to improve our security protocols. We believe our customers’ data is safe and will continue to conduct testing to further strengthen our systems’ security to prevent future breaches.
How do I know my data is safe?
Protecting our customers and their personal data is our priority. Outside cyber security experts have helped us identify areas that could be strengthened and we have addressed those areas. We also have modified our security protocols, added additional software and invested in additional IT improvements.
This breach is akin to a thief breaking into your home despite having strong locks on all of the doors and windows and stealing your valuables. We’ve installed new locks, an electronic security system, and added trained guard dogs inside and outside the house to prevent further incidents.
Can I get my data removed from Seedsman? How?
Yes, you can request for your personal data to be removed from our system at any stage. Contact our customer services team here.
We are obliged to keep some order data for financial regulations for 6 years in the UK, 4 years in the US and 5 years in the EU.
How do I know which data was taken?
If you would like to know what data about you has been taken - you can put in a data request by contacting us here. Please note you will need to contact us using the email registered with us.
How can I better protect myself?
There are various steps you can take to help better protect yourself from cyber crime. These include but are not limited to:
- Keep software and operating systems updated
- Make sure you have up to date virus protection software on your computer.
- Change your passwords regularly and make sure they adhere to best practice for strong passwords - Where possible use multifactor authentication
- Think before you click
- Never open attachments in spam emails
- Do no click on links in spam/unwanted/unexpected emails
- Contact companies directly about suspicious requests.
- If you do not want to share your personal details, always buy from a physical store.
We have engaged with a respected independent cyber security company to advise us on best practices, and are following their advice.
All members of staff have received GDPR training, and we are stepping up cyber security training.
We also have increased security to all hardware and added additional security software. We also are conducting additional testing to detect any vulnerabilities that will subsequently be addressed.
As a company group we will be looking to attain ISO27001, an international Information Security Management System (ISMS) standard, that will ensure we are fully up to date with all aspects of cyber security and put this at the forefront of our business.
Update 21st June 2024
The investigation is still ongoing - once the Seedsman team have any news it will be posted here.
The Seedsman team are responding to personal data requests linked to the incident, and are deleting records and accounts when requested.
We would like to thank anyone who has got in touch for their support and understanding.
We have also spoken directly with a number of forum owners, to help answer any conerns or questions.