UK shoe retailer Office hit by data breach

Data breach at UK shoe retailer Office prompts calls for online firms to beef up security around customer details

The security industry is calling on all online service providers and retailers to beef up their security as UK shoe retailer Office advises customers to change their passwords after its IT systems were breached.

The breach comes within days of news of similar compromises at music streaming service Spotify and online auction site eBay, which all indicate a need for tighter controls around user data.

“We can confirm that no credit card, debit card, PayPal or bank details were compromised in any way,” Office said in an online notice and an email to customers.

Only accounts created before August 2013 have been affected, the company said, but the compromised information does include name, address, phone number, email address or account passwords.

The company has not said whether the information was encrypted or how many customers had been affected.

“This possibly means we can expect the worst and that even the most basic protection wasn’t in place to prevent the hackers from exploiting any stolen passwords,” said independent security advisor Graham Cluley in a blog post.

More on data breaches

He is among a growing number of security industry representatives calling for all personal data to be at least encrypted, and preferably hashed and salted as well.

“If you were using the same password anywhere else on the net, you should change it now (and learn to stop reusing passwords!) as a matter of priority,” Cluley wrote.

Retailers slow to communicate data breaches

Office contacted affected customers by email, but not until a week after the breach was discovered and three days after launching an investigation into the breach.

Cluley also criticised the retailer for making no mention of the breach on the homepage of its website or in the company blog.

eBay has come under increasing criticism over the handling of its breach, especially for the delays in informing users.

It took eBay several weeks to detect the intrusion, but the company delayed a further two weeks after confirming data had been accessed before notifying anyone.

“The trend of organisations revealing in an email that a hack has taken place and delaying the education process must come to an end,” said Paul Martini, chief executive at iboss Network Security.

Failure to communicate is failure to protect. Speed of information is everything when it comes to handling a hacking incident

Paul Martini, iboss Network Security

“Failure to communicate is failure to protect. Speed of information is everything when it comes to handling a hacking incident,” he said.

Martini said that while emails are rarely read instantly, most people who shop online are on Twitter and Facebook throughout the day.

“Organisations must communicate across every channel – the company website, Facebook, Twitter – or risk increasing the damage caused by the hack,” he said.

Security breaches damage trust

This negative impact includes reputational damage, said Jason Hart, vice-president of cloud solutions at security firm SafeNet.

“Data breaches are not just breaches of security. They are also breaches of trust between companies and their customers,” he said.

Charles Sweeney, chief executive of security firm Bloxx, said the increasing frequency of data breaches involving passwords means service providers and retailers need to offer assurances about protecting customer data.

“The success of e-commerce is based on consumers trusting the site they are transacting with, and companies are on the verge of that trust being eroded,” he said.

Read more on Privacy and data protection

Data Center
Data Management