It’s always the same old tune. Immediately after the UK shoe retailer Office announced a data breach on 29 May 2014 the debate on passwords starts again.
In my opinion a statement like ‘…demonstrates just how insecure passwords are’ makes no sense in this case.
It’s far more interesting to know, how the incident could have happen. The information from the Office homepage  gives us some hints:
(1) ‘Unfortunately we have been the subject of a security breach resulting in unauthorised access to some Office.co.uk accounts’
(2) ‘Only accounts created prior to August 2013 have been affected, but the information does include name, address, phone number, email address and the password to your OFFICE account.’
(3) ‘Yes – the OFFICE website is safe and secure. The server that was compromised was a server containing no live data and has been isolated.’
From (2) and (3) it is highly probable that in August 2013 Office IT staff created a copy of the customer database on a system that was not connected to the internet. This copy was obviously not sufficiently protected. According to (1) it is very likely that attackers compromised employee login credentials and got unauthorized access to the Office company network.
This is nearly the same attack pattern as in the eBay case some weeks ago. And, just as in the case of eBay, hashing of passwords or encrypting the entire customer database would not have prevented the data breach.
It is the combination of People, Processes and Technology, that makes the world a much safer place. Just some hints…
- Customers: Use strong and site-specific passwords
- Office employees: Run an awareness campaign with focus on identity theft and how to handle this efficiently
- Change processes to protect servers, which store copies of customer data, in the same way as production servers
- At least for access to systems storing customer data set up Two Factor Authentication / One-time-passwords