UK shoe retailer Office hit by data breach – Will secure passwords make a difference?

19 June 2014

It’s always the same old tune. Immediately after the UK shoe retailer Office announced a data breach on 29 May 2014 the debate on passwords starts again.

In my opinion a statement like ‘…demonstrates just how insecure passwords are’ makes no sense in this case.

It’s far more interesting to know, how the incident could have happen. The information from the Office homepage [4] gives us some hints:

(1) ‘Unfortunately we have been the subject of a security breach resulting in unauthorised access to some Office.co.uk accounts’

(2) ‘Only accounts created prior to August 2013 have been affected, but the information does include name, address, phone number, email address and the password to your OFFICE account.’

(3) ‘Yes – the OFFICE website is safe and secure. The server that was compromised was a server containing no live data and has been isolated.’

From (2) and (3) it is highly probable that in August 2013 Office IT staff created a copy of the customer database on a system that was not connected to the internet. This copy was obviously not sufficiently protected. According to (1) it is very likely that attackers compromised employee login credentials and got unauthorized access to the Office company network.

This is nearly the same attack pattern as in the eBay case some weeks ago. And, just as in the case of eBay, hashing of passwords or encrypting the entire customer database would not have prevented the data breach.

It is the combination of People, Processes and Technology, that makes the world a much safer place. Just some hints…

People

  • Customers: Use strong and site-specific passwords
  • Office employees: Run an awareness campaign with focus on identity theft and how to handle this efficiently

Processes

  • Change processes to protect servers, which store copies of customer data, in the same way as production servers

Technology

  • At least for access to systems storing customer data set up Two Factor Authentication / One-time-passwords
Advertisements

4 thoughts on “UK shoe retailer Office hit by data breach – Will secure passwords make a difference?

  1. Pingback: Homepage

  2. legit work from home

    Very nice post. I just stumbled upon your blog and wanted to say that I have truly enjoyed surfing around
    your blog posts. After all I’ll be subscribing to your feed
    and I hope you write again soon!

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s