Information Commissioner's Office issues warning to Office shoe retailer over data breach

The Information Commissioner's Office (ICO) reprimands shoe retailer Office after a hacker exposed more than a million customers' personal data

The Information Commissioner’s Office (ICO) issued a warning to shoe retailer Office after a hacker attack exposed the personal data of more than a million customers.

The hacker managed to access customers’ contact details and website passwords via an unencrypted database that was due to be decommissioned.

The hacker bypassed technical measures the company had put in place and the incident went undetected.

However, Office confirmed that it did not store customers’ bank details, so financial information was not compromised.

The ICO said there was no evidence to suggest the information accessed had been further disclosed or used.  

Office has signed an undertaking to resolve the problems that led to the data breach, was reported to the ICO in May 2014.

These measures include: Regular penetration testing of all websites and servers; updating data protection policy documents that include a retention and disposal policy for customer data; providing formal data protection training to all Office employees and regular refresher training; and ensuring that personal data is retained only for as long as necessary, in relation to the purposes of the processing.

Storing old data

“The breach has highlighted two hugely important areas of data protection: The unnecessary storage of older personal data and the lack of security to protect data,” said Sally-Anne Poole, ICO enforcement group manager. 

“All data is vulnerable, even when in the process of being deleted, and Office should have had stringent measures in place regardless of the server or system used. The need and purpose for retaining personal data should also be assessed regularly, to ensure the information is not being kept for longer than required,” she said.

Poole said the data breach highlighted the risks associated with customers using the same password for all their online accounts.

“This one incident could have given the hacker access to numerous accounts that the clients held with other organisations, as passwords were included on the database in question,” she said.

“It’s important to use a unique, strong password for each separate account; preferably a combination of numbers and letters – not a name or dictionary word.”

Office has committed to address the issues of data protection and has already decommissioned the servers in question and implemented a new hosting infrastructure.

Read more on Privacy and data protection