You won't see any mention on its homepage, but shoe retailer Office has been hacked

UK shoe retailer Office has sent its customers an email today, explaining that it has suffered a serious security breach.

Email from Office

Office says it became aware of a potential breach on May 22 2014, and confirmed it on May 26th. As a result it is resetting users' passwords.

The good news is that Office does not store any financial information about its customers, so it wasn't able to lose your credit card or PayPal details.

However, information which was accessed by the hackers included customers' names, addresses, birth date and month (but not year), password and phone number... if you created your Office.co.uk account prior to August 2013.

Office does not mention anything about the passwords being hashed, salted or even "encrypted"... which possibly means we can expect the worst and that even the most basic protection wasn't in place to prevent the hackers from exploiting any stolen passwords.

Obviously if you were using the same password anywhere else on the net, you should change it now (and learn to stop reusing passwords!) as a matter of priority.

I was also disappointed to see no mention of the security breach on Office's home page:

Office website

You won't even find mention of the incident on its blog. Thanks to reader Gary Hawkins who discovered this buried-away link containing further information for concerned customers.

Has no-one learnt anything from eBay's shambolic response to its own security breach?

Tags: , , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , , ,

4 Responses

  1. Coyote

    May 29, 2014 at 8:56 pm #

    I've said and written about this for so many years… it is actually really sad and it is an awful fallacy at that:

    Not every compromised network is going to even refer to it at all. They're so afraid of their reputation being tarnished that they will do the exact opposite of what would make customers (or any one with a little bit of (un)common sense) feel they deserve that (once) good reputation: hide it. That not only tarnishes their reputation (when found out, which eventually it will be) it also tarnishes their integrity and credibility as a company. Then there are those who will admit it but will hide information or (in some ways, worse) downplay the risks, for very similar reasons: their reputation. You can sense it from the way they word things, at least anyone with a very basic understanding psychology and language (even if only one language, the one in question) can. Perhaps you don't even need psychology understanding as it is enough to feel it even if you don't know _why_ you feel it. Of course that isn't even counting unknown intrusions.

    One of the only things I learned from school (perhaps because the school system, especially here, in my district, is reprehensible, and because I was – and am – ill), certainly the only really useful and wise thing is how reputations work. It takes work to gain and it takes work to lose reputation and that goes for good and bad reputation. Ironically, those corporations that do not know it are in some ways better than those who hide it (or downplay the risks)… at least until they discover it. Sadly it is rare that companies will take full responsibility and that includes being responsible in every way of the entire mess.

    More irony is how organisations like Apache (open source, etc.) are compromised they not only document their mistakes they document the entire series of events (i.e., how they were compromised) and how it led to the next step in the chain, until the end result (and what the result was/is). They cannot be commended enough no matter how bad the mistakes are (humans and all..) yet I feel they are often forgotten. There's other organisations that come to mind but they're never coporations. Wonder why that is (obviously rhetorical question)…

  2. Former Office customer

    May 29, 2014 at 11:04 pm #

    I can confirm than office.co.uk user passwords were not encrypted a few years ago – upon registering I was immediately sent an e-mail containing all of my account credentials. Given that they have not made any mention of current encryption, I would assume that nothing has changed.

  3. Chris Thomas

    May 30, 2014 at 7:37 am #

    About time the Information Commissioner had authority to keep a register of such as office.co.,uk.

    We need a well publicised official 'Hall of Shame' of companies which take too lightly their responsibilities to their customers' regarding the security and integrity of private information. It is essential that online trading, among other things, is no longer a lottery in which customers take a chance that their details are safe from the prying eyes of criminals.

  4. Stewart

    June 2, 2014 at 1:48 pm #

    Totally agree about naming and shaming companies that don't even take basic precautions with passwords. I went to "reset" my PlusNet login the other day and was emailed my username and existing password in plain text.

Leave a Reply