James Steidl - Fotolia

Debenhams data breach underlines need for supply chain security

Data breach at retailer again highlights the importance of data protection and ensuring cyber security standards across an organisation’s entire supply chain, say security commentators

Debenhams is contacting 26,000 customers whose personal data is believed to have been exposed in a malware-enabled cyber attack on Ecomnova, which runs the Debenhams Flowers online florist.

The attack is believed to have taken place between 24 February and 11 April 2017, but was confirmed only on 29 April, which means the data was exposed for at least seven weeks.  

The attackers are believed to have accessed personal data, including customers’ names, addresses and financial information.

Debenhams responded to the discovery by suspending all Ecomnova-run websites, contacting affected customers, and ordering a full investigation.

The retailer has also issued assurances that no data on its main website is affected by the breach and that customers can rest assured that their data has not been compromised.

Debenhams said it is working with Ecomnova to contact victims’ banks to request them to block payments and issue new cards.

Affected customers have been advised to change their online banking passwords, monitor bank balances closely and be suspicious of unsolicited emails, post and phone calls.

Scammers typically use stolen data either to carry out fraud or other malicious activity, or as a way of engaging victims to elicit even more personal data.

Anyone who suspects they have been a victim of fraud is advised to contact their bank or credit card provider, as well as report the incident to the Action Fraud crime reporting centre on 0300 123 2040 or online at actionfraud.police.uk.

Read more about supply chain security

“The Debenhams hack is a key reminder to businesses that the third-party vendors you partner should be properly vetted to ensure they have secure systems in place,” said Jamie Graves, CEO at cyber security firm ZoneFox.

“This highlights the ever-increasing importance of having 360-degree visibility over all your data flow. Whether the data sits in your business or your partners, this 20/20 vision around your data allows businesses to monitor for risky activities and behaviour that might be putting your data at risk.

“Such an approach goes a long way to ensuring that a breach – whether third-party or not – is identified and dealt with as quickly as possible.”

Jason Allaway, vice-president of UK & Ireland at security firm RES, said that with four different websites under the Debenhams umbrella being affected by malware, the incident again shows the complicated job that organisations have in protecting themselves while working with third-party providers.

Ubiquitous threat

“Malware is a ubiquitous threat for modern businesses,” he said. “There are really only businesses that have been targeted and those that will be in the future as categories nowadays. With this in mind, both technology and education have to be a vital component throughout your business – third parties included.

“Malware can only have an effect once it is let into the network, so extending any cyber security training and security measures you may offer to your partners can shut any potential back doors into your business that they may leave open.

“This is a timely reminder that outsourced branches and third parties need as much cyber scrutiny as the rest of any business.”

Javvad Malik, security advocate at AlienVault, highlighted the fact that attackers are increasingly going after personal data.

“It is essential that companies enforce strong threat detection controls so that any attacks can be quickly identified and responded to,” he said.

“In this case, Debenhams had outsourced the operation to a third-party supplier. It should have vetted the third party beforehand and ensured it had adequate security controls in place.”

The need for organisations to review and improve their ability to protect personal data has never been greater, with just over a year to go before they will have to comply with the EU’s General Data Protection Regulation (GDPR), which provides for fines of up to €20m or 4% of annual worldwide turnover for groups of companies, whichever is greater.

Read more on Privacy and data protection