UK Shoe Retailer's Database BreachedStored Customer Passwords Left Unprotected
The U.K. Information Commissioner's Office is ordering shoe retailer Office to address data protection issues following a May 2014 breach where a hacker exposed unencrypted website passwords and other details for more than 1 million customers.
In addition to selling shoes online, U.K.-based Office has 153 stores worldwide.
The retailer informed the U.K. Information Commissioner's Office on May 29, 2014, that an unauthorized individual hacked into an unencrypted "historic" database - due to be decommissioned - that was stored on a legacy server outside the core infrastructure of the company's current website, according to the ICO.
The breach highlights the need to identify and dispose of older data that is no longer used, Sally-Anne Poole, ICO group manager, says in a statement issued Jan. 19. "All data is vulnerable, even when in the process of being deleted, and Office should have had stringent measures in place regardless of the server or system used."
But many companies may not be purposefully hoarding data, says Rick Holland, a principal analyst for security and risk management at the consultancy Forrester Research. "Data governance is so immature that many simply don't know the scope of data within their environments," he says. "Attackers often do a better job of data discovery than the IT departments responsible for defending the data."
Organizations must conduct data discovery to know what sensitive information they have that needs to be protected, Holland says. "Once they have done this, they can kill the data or choose to encrypt or tokenize it. Before destroying any data, companies must understand their regulatory landscape and make sure they are aware of any data retention mandates."
In the wake of the hack against Sony Pictures Entertainment, in which older stored employee e-mails were hacked, Gizmodo reported that the company's general counsel had warned a studio executive that employees should be purging their e-mail on a regular basis (see: Sony's 7 Breach Responses Mistakes).
In the breach of shoe retailer Office, once the hackers gained entry to the database, they were able to access contact details, including names and birthdates, and unencrypted passwords for more than 1 million customers, the ICO says. The hacker was also able to bypass other security measures the company had already put in place, allowing the breach to go undetected, according to the ICO.
No financial information was compromised in the attack because the retailer doesn't store it, the ICO says. "Moreover, there is no evidence to suggest that the information accessed has been further disclosed or otherwise used," says Brian McCluskey, CEO of Office. The server involved in the breach has been decommissioned and a new hosting infrastructure is in place, he adds.
The ICO's Poole notes: "This one incident could potentially have given the hacker access to numerous accounts that the clients held with other organizations." That's because the exposed database included passwords, which are often reused.
- Ensure all of its websites and servers are subject to regular penetration testing;
- Implement its new data protection policy documents within three months of the date of the undertaking;
- Provide formal data protection training to all Office employees and introduce regular refresher training to reinforce the provision; and
- Implement other security measures to ensure that personal data is protected against unauthorized and unlawful processing, accidental loss, destruction and/or damage, and to ensure that any such information is only retained for as long as necessary.