Your questions about the BFI Shop data issue

We've put together answers to some of the most common questions about the recent issue affecting the BFI Shop website.

We’ll keep this page updated as more information becomes available. If your question isn’t covered here, you can contact us at yourshopdata@bfi.org.uk.

What happened with the BFI Shop website, and was my personal data affected? 

  • On Tuesday, 1 April, we detected unauthorised access to the BFI Shop’s online payment page. 
  • We took the website offline immediately as a precaution and are working with cybersecurity experts to fully understand what happened and ensure it’s safe before bringing the site back online. 
  • Details entered on the payment page may have been accessed while customers were entering them. 
  • If you made or tried to make a purchase on the BFI Shop website, your payment information may have been at risk.  
  • Because of the nature of the cyber-attack, there is a possibility that personal information stored in the BFI Shop customer database – such as names and contact details – were accessed. 
  • (This response was updated 10/4/25).

Was my payment information compromised?

  • We believe that details entered on the BFI Shop payment page may have been accessed while customers were entering the information.    
  • If you have made or attempted to make an online purchase through the BFI Shop website, your payment information may have been compromised.
  • As a precaution, we recommend keeping a close eye on your bank or card statements and contacting your provider if you notice anything unusual.   
  • We do not store full card details in our system, which means there is no further risk of access. 
  • (This response was updated 10/4/25).

When exactly was the BFI Shop website compromised?  

  • Our forensic investigation has now confirmed that it is highly likely the BFI Shop website was compromised during two separate periods, both part of the same incident:
    • 18 September to 2 December 2024 (inclusive)
    • 13 March to 1 April 2025 (inclusive)
  • There is no evidence of compromise between 3 December 2024 and 12 March 2025.
  • It’s important to note that the available logs only go back to 18 September 2024, which limits our ability to confirm whether the compromise began earlier.
  • The vulnerability, which we believe was exploited, was in the third-party ecommerce software used to run the BFI Shop website – a widely used platform across many businesses. The flaw was identified around 11 June 2024, but we have no evidence that it was exploited on our system until the periods listed above.
  • These findings are based on a detailed investigation carried out by independent cybersecurity experts, who conducted a forensic review of the BFI Shop webserver.
  • (This response was added 25/04/25)

What should I do if I’ve made a purchase recently?

We recommend the following: 

  • Change your password on any websites where you use the same login details. 
  • Monitor your bank or card statements for any unusual transactions. 
  • Stay alert to phishing emails or suspicious messages pretending to be from the BFI. 
  • If you are expecting a delivery from the BFI Shop and have not received it, please email the BFI Shop Team at bfishop@bfi.org.uk. 
  • (This response was updated 10/4/25).

How do I change my password if the BFI Shop website is offline?

  • While the BFI Shop website is temporarily offline, you won’t be able to change your password for that account just yet. However, if you’ve used the same or a similar password on other BFI platforms or non-BFI services, we strongly recommend changing those passwords now as a precaution.

Have you fixed the issue? Is it safe to use the BFI Shop now?

  • The BFI Shop website remains offline while we continue to work with cybersecurity experts and our external supplier to resolve the issue and make sure the site is fully secure.
  • It will not be brought back online until we are confident that it is safe to do so.

Have other BFI websites or services been affected?

Why wasn’t I told about this sooner?

  • As soon as the issue was discovered, we took immediate steps to secure the site and begin an investigation. We’ve worked as quickly as possible to understand what happened and who may have been affected. We began to contact customers directly, as soon as we had a clear picture and the right advice to share.

What are you doing to stop this from happening again?

We’ve taken a number of immediate steps to protect customer data and strengthen our systems. These include:

  • Taking the BFI Shop website offline as a precaution
  • Introducing additional security measures
  • Working with specialist cybersecurity experts to investigate the issue and identify how it happened
  • Conducting a full review of the BFI Shop’s systems and infrastructure
  • Working with our external supplier to fix the vulnerability and ensure the site is secure before it is brought back online

Have you reported this to the authorities?

  • Yes, we have notified: The National Cyber Security Centre (NCSC), the Government Cyber Coordination Centre (GC3), Action Fraud, and the Information Commissioner’s Office (ICO). We will continue to cooperate fully with these authorities and follow any further guidance they provide.
  • (This response was updated 10/4/25).

How can I close my BFI shop website account?  

  • To request the closure of your BFI Shop account and deletion of all personal data associated with it, please contact yourshopdata@bfi.org.uk.
  • (This response was added 10/4/25).

How can I find out if I have an account with you? 

  • If you’re not sure whether you have a BFI Shop account or would like to know what personal data we hold, please contact us at yourshopdata@bfi.org.uk.
  • (This response was added 10/4/25).

Can you give me the password I used for the online shop? 

  • We’re not able to provide your password because we don’t store it in a readable format. Like many organisations, we use a form of cryptography called hashing. This turns your password into a unique string of characters that we can’t reverse. Therefore, we can’t see or retrieve the original password. 
  • (This response was added 10/4/25).

Were passwords encrypted? 

  • Like many organisations, we use a form of cryptography called hashing. This turns your password into a unique string of characters that we can’t reverse. Therefore, we can’t see or retrieve the original password. 
  • (This response was added 10/4/25).

If I have used the same login details on other websites or platforms, what should I do?  

  • If you use the same password for other accounts or websites, change them to strong, unique passwords. 
  • The National Cyber Security Centre offers clear advice on staying safe online and what to do if your data may have been compromised. 
  • (This response was added 10/4/25).

I want to delete my data from all your services – how do I do that? 

  • If you would like us to delete your personal data, you have the right to request this under data protection law (known as the “right to erasure”). 
  • Please email our Data Protection Officer at dpo@bfi.org.uk. Our Data Protection team will contact you to explain the process and confirm once your data has been removed. 
  • (This response was updated 10/4/25).

Can I request a copy of the data you hold about me? 

  • Yes. You have the right to request access to the personal data we hold about you (known as a “subject access request”). 
  • To do this, please email our data protection officer at dpo@bfi.org.uk. Our Data Protection team will contact you to explain the process. We may ask for proof of identity to ensure we’re protecting your information. 
  • We aim to respond to all subject access requests within one calendar month, as set out in data protection law. 
  • (This response was added 10/4/25).

Did you keep my card details after the transaction was processed? 

  • We do not store full card details in our system. However, we believe that details entered on the BFI Shop payment page may have been accessed while customers were entering the information. Therefore, if you have made or attempted to make an online purchase through the BFI Shop website, your payment information may have been compromised.  
  • As a precaution, we recommend keeping a close eye on your bank or card statements and contacting your provider if you notice anything unusual.
  • (This response was added 10/4/25).

Why is my personal information on file?

  • We only collect the personal information you provide to us, and only use it to deliver the service you’ve requested.
  • You can read more about how we collect, use, and protect personal data in our Privacy Policy.
  • (This response was added 10/4/25).

When will the site be online again?  

  • We don’t have an exact date yet, but we’re working hard with our external supplier and cybersecurity experts to resolve the issue. The site will only be brought back online once we’re fully satisfied that everything is secure. 
  • We’ll keep you updated on our progress and will post updates on this page.
  • (This response was added 10/4/25).

I want to make a complaint – how can I do that? 

  • We’re sorry about this situation and that it has caused concern.  
  • The BFI complaints procedure is published on our website on our Contact us page: https://www.bfi.org.uk/contact-us
  • (This response was added 10/4/25).

Who can I contact if I have more questions or concerns?

  • If you have any questions or would like further support, please contact us at yourshopdata@bfi.org.uk. Our team will do their best to help.

Where can I get extra support and information about keeping my data safe?

  • The National Cyber Security Centre offers clear advice on staying safe online and what to do if your data may have been compromised. 
  • The Information Commissioner’s Office (ICO) provides advice and guidance on data protection, privacy, and information rights. 
  • (This response was updated 10/4/25)