UK: Customer records left exposed after shoe company data breach
The Information Commissioner’s Office (ICO) has issued a press release indicating that high street and online shoe retailer Office has signed an undertaking following a hacking incident the ICO was informed about on May 29, 2014.
According to details in the undertaking, a member of the public had hacked into an unencrypted historic Office database that was being stored on a legacy server outside the core infrastructure of the current website. This individual had managed to gain potential access to personal data relating to over a million Office customers, including contact details and website passwords.
Sally-Anne Poole, Group Manager at the Information Commissioner’s Office said:
“The breach has highlighted two hugely important areas of data protection: the unnecessary storage of older personal data and the lack of security to protect data.
“All data is vulnerable even when in the process of being deleted, and Office should have had stringent measures in place regardless of the server or system used. The need and purpose for retaining personal data should also be assessed regularly, to ensure the information is not being kept for longer than required.”
“Fortunately, in this case there is no evidence to suggest that the information has been used any further and the company did not store any bank details.”
The data breach also highlights the risks associated with customers using the same password for all their online accounts.
Sally-Anne Poole added:
“This one incident could potentially have given the hacker access to numerous accounts that the clients held with other organisations, as passwords were included on the database in question. It’s important to use a unique, strong password for each separate account; preferably a combination of numbers and letters – not a name or dictionary word.”