The security industry is calling on all online service providers and retailers to beef up their security as UK shoe retailer Office advises customers to change their passwords after its IT systems were breached.
The breach comes within days of news of similar compromises at music streaming service Spotify and online auction site eBay, which all indicate a need for tighter controls around user data.
“We can confirm that no credit card, debit card, PayPal or bank details were compromised in any way,” Office said in an online notice and an email to customers.
Only accounts created before August 2013 have been affected, the company said, but the compromised information does include name, address, phone number, email address or account passwords.
The company has not said whether the information was encrypted or how many customers had been affected.
“This possibly means we can expect the worst and that even the most basic protection wasn’t in place to prevent the hackers from exploiting any stolen passwords,” said independent security advisor Graham Cluley in a blog post.
More on data breaches
- Spotify warns of data breach
- eBay under fire over handling of data breach
- Target data breach: Why UK business needs to pay attention
- How to mitigate risk associated with a customer's potential data breach
- Infosec 2014: UK data breaches slightly down but cost way up, report shows
“If you were using the same password anywhere else on the net, you should change it now (and learn to stop reusing passwords!) as a matter of priority,” Cluley wrote.
Retailers slow to communicate data breaches
Office contacted affected customers by email, but not until a week after the breach was discovered and three days after launching an investigation into the breach.
Cluley also criticised the retailer for making no mention of the breach on the homepage of its website or in the company blog.
eBay has come under increasing criticism over the handling of its breach, especially for the delays in informing users.
It took eBay several weeks to detect the intrusion, but the company delayed a further two weeks after confirming data had been accessed before notifying anyone.
“The trend of organisations revealing in an email that a hack has taken place and delaying the education process must come to an end,” said Paul Martini, chief executive at iboss Network Security.
Failure to communicate is failure to protect. Speed of information is everything when it comes to handling a hacking incident
Paul Martini, iboss Network Security
“Failure to communicate is failure to protect. Speed of information is everything when it comes to handling a hacking incident,” he said.
Martini said that while emails are rarely read instantly, most people who shop online are on Twitter and Facebook throughout the day.
“Organisations must communicate across every channel – the company website, Facebook, Twitter – or risk increasing the damage caused by the hack,” he said.
Security breaches damage trust
This negative impact includes reputational damage, said Jason Hart, vice-president of cloud solutions at security firm SafeNet.
“Data breaches are not just breaches of security. They are also breaches of trust between companies and their customers,” he said.
Charles Sweeney, chief executive of security firm Bloxx, said the increasing frequency of data breaches involving passwords means service providers and retailers need to offer assurances about protecting customer data.
“The success of e-commerce is based on consumers trusting the site they are transacting with, and companies are on the verge of that trust being eroded,” he said.