ICO issues warning to Office concerning data breach
20 Jan 2015
The Information Commissioner's Office (ICO) has issued a warning to footwear retailer Office, following an hacker attack which exposed the personal data of over one million customers.
The hacker accessed customers' personal contact details and website passwords through an unencrypted database that was due to be decommissioned. By passing online technical measures which Office had set in place, the hacking incident went undetected, according to the ICO. Office stresses that it does not store customers' banking information, so financial details were not compromised.
According to the ICO there was no evidence to show that the hacked information had been used or further disclosed. In order to ensure that all issues and concerns regarding the data breach are resolved, Office has signed an undertaking. The footwear retailer has pledged to address issues regarding data protections and decommissioned the servers in questions and implements a new hosting infrastructure.
"The breach has highlighted two hugely important areas of data protection: the unnecessary storage of older personal data and the lack of security to protect data," said Sally-Anne Poole, Group Manager at the Information Commissioner’s Office. "All data is vulnerable even when in the process of being deleted, and Office should have had stringent measures in place regardless of the server or system used. The need and purpose for retaining personal data should also be assessed regularly, to ensure the information is not being kept for longer than required."
"Fortunately, in this case there is no evidence to suggest that the information has been used any further and the company did not store any bank details." The data breach also highlight associated risks with customers using the same password for all their online accounts.
"This one incident could potentially have given the hacker access to numerous accounts that the clients held with other organisations, as passwords were included on the database in question. It’s important to use a unique, strong password for each separate account; preferably a combination of numbers and letters – not a name or dictionary word."