Regular readers may remember that last May it was revealed that UK shoe retailer Office had suffered a significant security breach, which resulted in hackers getting their claws on customers’ names, addresses, password, phone number and other personal information.
Luckily, the company didn’t store payment data – so at least that wasn’t breached. But it’s still easy to imagine how fraudsters and internet criminals could have abused the information that did fall into the hands of the hackers.
For instance, hackers could have attempted to try using the unencrypted passwords against online accounts on other websites – as so many people make the mistake of reusing passwords. Alternatively, online criminals could have created convincing phishing emails using the personal information they had acquired from Office’s breached customer database.
A report from the Information Commissioner’s Office (ICO) explains that the system accessed by the hackers contained an unencrypted historic Office database “that was being stored on a legacy server outside the core infrastructure of the current website”.
“Office has explained that removing the historic customer data from the database before migration to the new system was believed to add complexity and a material risk of data mismatches, operation downtime and customer disruption, so as to put the project at risk. However, Office has since accepted that in hindsight, the risks of removing these details before migration were less than originally thought.”
So, you may be wondering – have Office been hit with a substantial fine for its sloppy attitude to security?
The answer, it appears, is no.
The ICO’s report stops short of hitting the retailer with a fine which surely would have woken other high-street names up to the danger of not taking security seriously.
Instead, Office has committed to conducting regular penetration tests on its systems in future, and to improve its customer data retention and disposal policy.
Opinions will no doubt be divided as to whether the ICO should have stamped down on Office harder, and booted them up the backside with a fine.
They may not have socked it to them, but ICO enforcement group manager Sally-Anne Poole did have some sensible words of warning to share with other companies who might be careless with their customer information:
“All data is vulnerable even when in the process of being deleted, and Office should have had stringent measures in place regardless of the server or system used. The need and purpose for retaining personal data should also be assessed regularly to ensure that the information is not being kept for longer than required.”
Personally I think it’s a lucky escape for Office, which hardly showered itself in glory by failing to bother mentioning the hack to customer via its website front page.
In this day and age, that really shows an enormous lack of respect or care for your paying customers.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.