Footwear Retailer Escapes Fine For Customer Data Breach

The Information Commissioner’s Office (ICO) has warned shoe retailer Office over its failure to protect customer data in a hack discovered last May, but stopped short of fining the company.

Office said at the time that no payment data had been compromised, but names, addresses, phone numbers, email addresses and passwords for the Office website may have been accessed on an unencrypted database that was due to be decommissioned.

That meant, notably, that the attacker could have accessed other accounts of Office users, if they had used the same username and password on multiple websites, although in fact there was “no evidence” to suggest that the customer information had been used any further, ICO group manager Sally-Anne Poole said in a statement.

“The breach has highlighted two hugely important areas of data protection: the unnecessary storage of older personal data and the lack of security to protect data,” Poole stated.

Office has signed an undertaking to resolve these issues, and agreed to conduct regular penetration testing of its systems in the future, the ICO said. The company has decommissioned the servers in question and implemented a new hosting infrastructure.

Migration procedures

“Office has explained that removing the historic customer data from the database before migration to the new system was believed to add complexity and a material risk of data mismatches, operation downtime and customer disruption, so as to put the project at risk,” the ICO said in its report into the breach. “However, Office has since accepted that in hindsight, the risks of removing these details before migration were less than originally thought.”

The retailer got off lightly in this case, according to security researcher Graham Cluley.

“It’s a lucky escape for Office, which hardly showered itself in glory by failing to bother mentioning the hack to customer via its website front page,” he said in an advisory.

Are you a security pro? Try our quiz!