A customer of Fota Wildlife Park has reported that cybercriminals attempted to empty his bank account after purchasing online tickets to the park, following a massive cyberattack that has endangered the financial security of its visitors.
Bryan Jacob, a physiotherapist from Cork, revealed that after booking tickets on the park’s website on July 29, he discovered two unauthorized transactions on his Revolut account on August 20. The transactions, processed within seconds, amounted to a total of €600. The first, for €280, was successful, while the second, which exceeded the account balance, failed. The charges originated from Vairano Patenora, Italy, a place Jacob had never visited.
Despite alerting Revolut and Google Pay—whose platform was used for the ticket purchase—Jacob has yet to recover the stolen funds. Both companies have so far declined responsibility for the loss. Jacob expressed his concern, stating, “I believe it is crucial to raise awareness about this issue, as other individuals may also have been impacted by this breach and subsequent unauthorized transactions.”
The cyberattack on Fota Wildlife Park’s website, which occurred between May 12 and August 27, prompted the park to notify customers on Wednesday about the potential breach of their payment details. The park advised customers to cancel their credit cards immediately and review their bank accounts for any signs of fraudulent activity.
Jacob described the Fota website as “antiquated and dated,” noting that even the email confirmations after purchasing tickets appeared outdated. As of Thursday, the park’s website remained inaccessible, with a placeholder message apologizing for the inconvenience. The park continues to operate, but only tickets purchased physically at kiosks are being accepted.
In response to the cyberattack, Fota Wildlife Park activated its incident response plan upon discovering illegal cyber activity on its site. The Data Protection Commission has been notified and is investigating the breach.
Jacob, who has referred his case to the Financial Services Ombudsman after unsuccessful discussions with Revolut and Google Pay, remains deeply concerned about the broader implications for other consumers.
A spokesperson for Bank of Ireland advised affected customers to contact their customer service team to cancel their cards and arrange for new ones.
Dr. Simon Woodworth, a lecturer in business information systems at University College Cork (UCC), also received a warning email from Fota Wildlife Park. After examining the park’s website source code, he noted that it was likely built on the WordPress platform, which can become vulnerable if not regularly updated. He also identified that the site was using an outdated encryption standard, TLS version 1, which has been obsolete since 2018.
Commenting on the potential severity of the attack, Dr. Woodworth stated, “If they were clever, they could have been sitting there quietly and gathering data for some time before acting on it.”