Skip to main content

Your Basket

Notice of Data Breach at Davidsons Farm & Country

On Tuesday 8th February 2022 Davidsons Farm & Country detected a security incident involving credit/debit card details during a routine audit. We immediately reacted to the incident ensuring all vulnerabilities were dealt with and additional measures were put in place on top of our existing security system.

Davidsons Farm & Country deeply regret this incident has happened.

A timeline of the incident can be found below:

  1. Thursday 10th June 2021

    1. A malicious script was injected in to our website, bypassing our antivirus and malware scanners and specifically targeting a third party plugin used to communicate with PayPal.
    2. From this moment debit/credit card details as well as the name and address of our customers completing a sale and using the debit/credit card payment method had this data forwarded to a private server. Those using PayPal directly were not affected.

  2. Tuesday 8th February 2022

    1. A manual security audit spotted the code embedded in a file.
    2. The code was immediately removed, the plugin disabled and PayPal removed as the debit/credit card provider on the website.
    3. Stripe was installed as the new payment provider using a different and more secure technique to deal with payments off-site.
    4. An internal investigation began to determine the extent of the security breach.
    5. The internal investigation determined that the code was sending credit/debit card data to a private server.
    6. The domain registrar of the private server was informed and a high priority issue raised with their Abuse and Legal team.
    7. Additional software was installed to provide advanced tracking of file changes across the website with immediate alerts of changes.

  3. Wednesday 9th February 2022

    1. The date of June 10th 2021 was identified as the most likely and earliest possible date the code was injected.
    2. The internal investigation found that 563 orders had potentially been affected, however it was determined any of these orders which used the PayPal method directly avoided the phishing attack, lowering the number of affected orders to 304.
    3. Further scans and manual audits of files were undertaken producing no evidence of other malicious code or attempts to break in to the system.
    4. It was determined this was an attack specifically targeting this plugin. The rest of the website and database did not appear to have been accessed.

  4. Thursday 10th February 2022

    1. Davidsons Farm & Country formally reported the data breach to the Information Commissioner’s Office (ICO).
    2. This page was set up to provide full transparency of the incident along with a timeline of events.
    3. Industry leading security software was invested in to provide additional levels of security alongside, and in addition to, our existing solutions.

An overview of the incident can be found below:

What has happened?

A targeted attack has bypassed antivirus and malware tools to insert malicious code with the intention to highjack a third-party plugin used primarily to communicate with PayPal to process payments. The code in question appeared to intercept the submission of an order to phish credit card data, forwarding this information to a private server, before continuing with the normal transaction.

Who does this affect?

During our investigation we narrowed down the first possible date the attack was implemented as June 10th 2021, we therefore take June 10th 2021 as the first day this exploit was initiated.

Anyone paying directly with their debit or credit card on or after this date and up until 8th February 2022 may have been a victim. If you used your PayPal account via the PayPal website your card data has not been intercepted as a result of this attack.

What has happened to my data?

We cannot be sure if the data sent to PayPal through the website was successfully submitted to the attacker or has been accessed by any third party. There has not yet been any evidence that the data sent to the private server has been used maliciously.

The following data entered in to the checkout was being intercepted and submitted to a private server, this does not apply to anyone using their PayPal account:

  • Card Number
  • Card Expiry Date
  • Card CVC
  • First Name
  • Last Name
  • Billing Address Line 1
  • Billing Address Line 2
  • Billing City
  • Billing County
  • Billing Country
  • Billing Postcode
  • IP address

What should I do?

We recommend all users to review their bank statements for any suspicious or unauthorised transactions. If any transactions do appear suspicious we recommend you immediately contact your bank to discuss the transaction.

In any situation where you suspect fraud on your card please contact your bank immediately. You can also obtain more information and advice as well as access tools to report fraud at:

In Scotland please visit Police Scotland.

In England, Wales and Northern Ireland please visit Action Fraud.

Is my other data safe?

Data stored in our database such as order details and shipping addresses remains secure. Under Article 17 of the UK GDPR individuals have the right to have personal data erased, you are welcome to submit a request to us for the removal of this data should you wish. We do not store credit or debit card details on the website.

How did Davidsons Farm & Country react?

We immediately took action to remove the malicious code from our website. Following the removal of the code we made the decisive call to remove PayPal Pro as our payment provider with immediate affect.

We also made contact with the domain registrar where the data was being submitted and registered an incident with their Abuse and Legal team.

To ensure transparency we formally reported the incident to the Information Commissioners Office (ICO).

What was in place to prevent this? Why was it not prevented?

Our server utilises Antivirus and Malware software to regularly scan and identify vulnerabilities. Regular audits also take place to look for any suspicious activity and to ensure all systems are operating as they should.

In this case the malware used remained undetected by both the scanners and the audits.

We follow multiple security best practices and regret that these have not prevented such an attack from taking place. Due to this we are investing in the further strengthening of our security, taking on an industry leading solution to protect our customers.

What are you doing to ensure this does not happen again?

As always, your privacy and the security of your data is our highest priority. We continually assess, audit and review our policies and software to ensure new threats can be dealt with and ways in which we can improve our security.

Our immediate action plan includes:

  • Remove PayPal Pro as our payment provider.
  • Investment in state of the art security systems to continuously check for unauthorised file changes.
  • Review our security audit procedures to integrate deeper evaluations of our software.

Who do I speak to for more information?

We have set up a dedicated email for this incident so we can answer your questions and gather any feedback.

Please email us at: heretohelp@davidsonsfc.co.uk

We understand the importance of our role in protecting your information and will continuously work to regain your trust.

Thank you for your understanding.

Davidsons Farm & Country