The Information Commissioner’s Office (ICO) has warned shoe retailer Office over its failure to protect customer data in a hack discovered last May, but stopped short of fining the company.
Office said at the time that no payment data had been compromised, but names, addresses, phone numbers, email addresses and passwords for the Office website may have been accessed on an unencrypted database that was due to be decommissioned.
That meant, notably, that the attacker could have accessed other accounts of Office users, if they had used the same username and password on multiple websites, although in fact there was “no evidence” to suggest that the customer information had been used any further, ICO group manager Sally-Anne Poole said in a statement.
“The breach has highlighted two hugely important areas of data protection: the unnecessary storage of older personal data and the lack of security to protect data,” Poole stated.
Office has signed an undertaking to resolve these issues, and agreed to conduct regular penetration testing of its systems in the future, the ICO said. The company has decommissioned the servers in question and implemented a new hosting infrastructure.
“Office has explained that removing the historic customer data from the database before migration to the new system was believed to add complexity and a material risk of data mismatches, operation downtime and customer disruption, so as to put the project at risk,” the ICO said in its report into the breach. “However, Office has since accepted that in hindsight, the risks of removing these details before migration were less than originally thought.”
The retailer got off lightly in this case, according to security researcher Graham Cluley.
“It’s a lucky escape for Office, which hardly showered itself in glory by failing to bother mentioning the hack to customer via its website front page,” he said in an advisory.
Are you a security pro? Try our quiz!
Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…
Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…
Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…
Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…
Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…
Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…