Labour Day opening hours and T&Cs | VIEW NOW

animates.co.nz data breach

29 June 2019 – 13 September 2019

This notification explains what happened, how it may impact you and it sets out steps you can take in response.

What happened?

An unidentified third party recently gained unauthorised access to our website between June 29 and September 13. The third party may have accessed your personal information and payment details entered on our website. We have no direct information of specific information breaches, but we think it’s important to share this information with you.

As soon as we became aware of this incident, we immediately shut down the Animates website and launched a full investigation, which is still ongoing. We are working with external IT security consultants to assist with this investigation. We have also notified relevant privacy and legal authorities. The website remains offline during this time.

We unreservedly apologise this incident has occurred. At Animates, we have always prided ourselves on providing great experiences for our customers.

What personal information was involved?

Through our investigation to date credit / debit card data has been targeted through the breach. Any personal information shared with us may have also been impacted by the incident. This could include your address, phone number, email address, username or password.

To those customers who made purchases on-line using Layby or PayPal, your payment information has not been affected. We can confirm, no purchases made in physical stores have been affected.

What steps do you need to take?

  • Monitor credit card/debit activity closely: For customers that used a credit or debit card to make a purchase during the impacted period, you should monitor your credit/debit card statements closely and report any unusual activity to your bank.

    If the credit/debit card you used on our website does not belong to you, please take steps to bring this email to the cardholder's attention so that they can take steps to prevent potential misuse.

  • Change similar passwords across other sites. If you use the same password that you used to access Animates across other websites (such as email, social media, online banking etc); we would encourage you to reset these passwords as a precaution.
  • Keep a look out for email, telephone and text-based scams.

Please refer to the following Netsafe advice about password and online shopping security:

What other steps is Animates taking?

We take the protection of our customers' data very seriously and we are launching a new website that has passed security audits from third party security specialists. This website is due to go live in the coming days. 

We will be emailing our customers soon to notify them the new website is live and to create a new password for their account.

Who can you contact for more information?

If you have any concerns about your credit card / debit card, contact your bank immediately.

If you have any further questions or concerns, please email us at privacyofficer@animates.co.nz or visit www.animates.co.nz/data-breach for more information.  

For more information visit the Privacy Commission www.privacy.org.nz/

Kind regards,
Rod Gibson
Chief Executive Officer
Animates NZ Ltd.

FAQs

I am sure that I have been a victim of this situation, but my bank is saying this is not the case. What can I do? Can you check for me?
We know that 2,700 customers have been affected but we don’t know who. We advise customers who’ve purchases items on our website to take the following precautions: Monitor credit card/debit activity closely: If you used a credit or debit card to make your purchase between June 29 and September 13, 2019. You should monitor your credit/debit card statements closely and report any unusual activity to your bank. •If the credit/debit card you used on our website does not belong to you, please take steps to bring this email to the cardholder's attention so that they can take steps to prevent potential misuse. •Change similar passwords across other sites. If you use the same password that you used to access Animates across other websites (such as email, social media, online banking etc); we would encourage you to reset these passwords as a precaution. •Keep a look out for email, telephone and text-based scams.
Does this affect my loyalty points?
Your Animates Petpoints loyalty points and any of your benefits have not been affected.
How come this went undetected for so long?
The unauthorised third party access was caused by malicious software (malware) that infected our website and remained undetected until a security audit. There is a due process to follow and this takes a bit of time. We notified relevant privacy and legal authorities as soon as we became aware of the extent of the incident. Our customers were informed the next day.
Does the new website have my personal data? What will be different from the old site?
The new website uses a trusted third party payment gateway that meets the highest security standards set by our bank. We have engaged a leading IT security information company to undertaken strict security audits and certification to protect our customer data.
Where do you hold your data?
We do not hold customer credit / debit card data on our servers, this is held with the banks via the secure payment gateway which our website uses. Other customer data is held on secure data services with a third party provider, who specialises in large corporate client services, which includes large NZ insurance providers, airlines, and governmental organisations.
But how do I know that third party won’t be compromised too?
Cyber security is an area requiring constant vigilance and education. No organisation is immune from cyber threats.
Can you delete all my personal data?
We do not hold customer credit / debit card data on our servers, this is held with the banks via the secure payment gateway which our website uses. Other customer data is held on secure data services with a third party provider, who specialises in large corporate client data services, which includes large NZ insurance providers, airlines, and governmental organisations. We can remove your personal data at any time if you request this. This will also remove you from our loyalty program.
What assurance can I have this won’t happen again?
Cyber security is an area requiring constant vigilance and education. No organisation is immune from cyber threats and we are mitigating their impact through the use of highly secure website technology and responsible corporate digital citizenship.
Who is the third party you are using for security audits?
We have engaged a leading IT security information company called Aura to undertake a strict security audits and certification to protect our customer data.
You've launched a new website, you must have known your old website was not good?
This has been a coincidence, as we have been working on launching a new, modern ecommerce site. This has been an ongoing project for over a year, that will enable more modern customer-centric technology including a mobile optimised site, the ability to launch a click-and-collect service, membership programs and advanced features like a google maps integrated store finder.
I only shopped with you once, how long do you keep my information for?
We do not hold customer credit / debit card data on our servers, this is held with the banks via the secure payment gateway which our website uses. Other customer data is held on secure data services with a third party provider, who specialises in large corporate client services, which includes large NZ insurance providers, airlines, and governmental organisations. We keep this data for an indefinite time, as it is related to our customer loyalty program. You can request this data to be removed at any time.
When will you find out if my personal data has been accessed?
We know that 2,700 customers have been affected that transacted on the site during the affected period. We advise customers who’ve purchased items on our website to take the following precautions: Monitor credit card/debit activity closely. Change similar passwords across other sites. Keep a look out for email, telephone and text-based scams. We’ve engaged third party IT security experts to investigate all possible vulnerabilities and there is a chance we may not find this who has been impacted by this incident. We are taking a proactive approach to directly notify the potential risk of all 20,000 customers that have entered personal information on our site.
What’s different about the new site?
It has more modern, customer-centric features. The site is optimised for mobile use, and allows us to launch membership programs, a click-and-collect service, and advanced features like a google maps integrated store finder.
I am a repeat delivery customer, what is happening with my order and payments? Especially if I need a new credit card?
We are endeavouring to manually process ongoing customer orders, to maintain our service to our customers. We will be processing payments as soon as the new website goes live. If there has been a credit card number change, we will follow up to change the information with you.
I used my credit card in store, is that affected?
No, store transactions have not been affected.
I “like” your Facebook / Instagram page, is my data safe there?
There has been no associated breach involving social media, this was only the old website that was breached.
Do you ever sell your data?
No. We use our customer information for the intended purpose it was collected for with your opt in permission.
Is my computer / device safe if I had been on your website?
It is extremely unlikely your computer has been compromised by our website; however many devices are infected with malware undetected by the owner. It is always good practice to have up-to-date antivirus and anti-malware detection software on your device.
What is your process of ongoing website security?
Our hosting and development partners continually perform security scans and install updates on the website to ensure it is up-to-date to eliminate any vulnerabilities that emerge. Our hosts also monitor for any attempted intrusions. Internally we use something called two-factor authentication and we have a system in place (IP whitelisting) to mitigate unauthorised access the website as well.