Hackers hit Lakeland with "sophisticated and sustained attack", passwords reset

Kitchenware store Lakeland has emailed customers telling them that hackers managed to gain unauthorised access to its web systems and databases late last week.

Although the company has confirmed that hackers accessed "two encrypted databases", it has been unable to ascertain whether information was stolen.

Perhaps reasonably, the firm has chosen to assume the worst, and reset all customers' passwords and asked them to choose new passwords next time they login.

Lakeland security breach

Part of the email reads:

Late on Friday July 19th we discovered that the Lakeland website was being attacked by hackers in a sophisticated and sustained attack. Immediate action was taken to block the attack, repair the system and to investigate the damage done and this investigation continues.

Today it has become clear that two encrypted databases were accessed, though we've not been able to find any evidence that the data has been stolen. However, we have decided that it is safest to delete all the customer passwords used on our site and invite customers to reset their passwords next time they visit the Lakeland site. Next time you log-in to your Lakeland account you will be asked to reset your password and provide a new one. It is not necessary to do this straight away, just the next time you want to use the account.

Lakeland has also advised customers to ensure that they are not using the same passwords anywhere else on the internet.

That's advice that really needs to be underlined. Far too many people use the same password for multiple websites, meaning that if their password gets hacked in one place they could find other online accounts are subsequently compromised.

With good password management tools like 1Password, LastPass and KeePass available it really is inexcusable for users to still be recycling passwords rather than picking new, hard-to-crack ones.

Interestingly, in its warning emailed out to customers, Lakeland gives a clue as to how the hackers might have managed to breach its systems:

Lakeland had been subjected to a sophisticated cyber-attack using a very recently identified flaw in the Java software used by the servers running our website, and indeed numerous websites around the world. This flaw was used to gain unauthorised access to the Lakeland web system and data. Hacking the Lakeland site has taken a concerted effort and considerable skill. We only wish that those responsible used their talent for good rather than criminal ends.

Quite what Java vulnerability Lakeland is referring to isn't currently clear, but add it to the pile of reasons (if you needed any more) why you probably want to keep as far away from that vulnerability-ridden technology as possible.

Tags: , , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Vanja Svajcer, and Carole Theriault.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Listen now

Subscribe to the free GCHQ newsletter

, , ,

Leave a reply

6 Comments on "Hackers hit Lakeland with "sophisticated and sustained attack", passwords reset"

Notify of
Sort by:   newest | oldest | most voted

Inexcusable?! What planet are you on? As an extremely busy mother with a full on career, exactly WHEN would you like me to research password management tools? I'm sure an awful lot of busy normal people who don't have time to read all about the latest craze, gadget or app wouldn't know these exist. Although I am offended at your tone, I will amend my 'inexcusable' behaviour and utilise some type if password system, thank you for letting me know they exist – no need to be so nasty about it though.


The real problem is that too many sites – Lakeland included – require you to create an account in order to buy from them. I've bought from Lakeland once, in 2009, and they've kept my data all this time? Not only is this is an obvious-to-foresee security issue but is almost certainly contrary to DPA because personal data is being kept for longer than necessary.

And even this site (https://www.grahamcluley.com) requires an email address which isn't necessary and is sent in plain text. Practice what you preach, Mr Cluley.


While I welcome their approach to resetting passwords and informing users of the breach, I do think they could have done it sooner, given the breach was last Friday.

They also claim they are being open and honest – if that were truly the case, they would disclose more info about the attack to help other retailers and their customers prepare for future breaches.

Mark Mottershead
Mark Mottershead

I'm one of the good guys who seeks out the bad ones on a daily basis and from what I see each and everyday is that commercial organisations do not take all the precautions they should in protecting there clients private details.

If I put my private details into a form on a website I expect the owners to take sufficient precautions with my information so that it is not hacked or stolen and then used to commit fraud. I don't agree with you that the answer is to buy a password generator and as the lady said half of the population would not even know what one was!

Each enterprise has a "Duty of Care" to its customer and part of that duty of care is to protect clients information, so in this particular case with Lakeland if this is a known exploit why had they not protected themselves against the threat, probably because they where not aware of the threat until it happened.

Therefore there processes and procedures are not adequate enough because if they where they would have known of the threat and taken preventative action before the site was hacked.