Footwear Chain Office Hacked, Customer Data Compromised

Max 'Beast from the East' Smolaks covers open source, public sector, startups and technology of the future at TechWeekEurope. If you find him looking lost on the streets of London, feed him coffee and sugar.

Follow on: Google +

The attackers gained access to names, addresses, phone numbers, emails and passwords, which were apparently stored unencrypted

High street footwear retailer Office admitted that hackers had recently breached its website. It said no financial information was compromised, but the attackers managed to gain access to customer details including names, physical addresses, phone numbers, email addresses and passwords.

The company has asked customers to change their passwords, which were apparently stored unencrypted. It refused to tell TechWeekEurope just how many users were affected by the breach.

Last week, eBay revealed it had become victim of a similar incident, in which hackers were able to access customer data. It subsequently reset passwords for around 128 million accounts. The company was criticised for the lack of adequate protection and slow response time, and is now facing investigations by the UK’s Information Commissioner’s Office (ICO) and the local authorities of at least three different American states.

A familiar tune

Office, which operates 153 shops around the world, has sent out emails in which it apologised to customers, and asked them to change their passwords. The company said it was first made aware of a potential breach on 22 May and confirmed it after an extensive investigation on 26 May.

Hacker (c) Amir Kaljikovic, Shutterstock 2014Echoing eBay’s warnings made last week, Office asked customers to also change login credentials on other websites where they used the same password.

“Only accounts created prior to August 2013 have been affected, but the information does include name, address, phone number, email address and the password to your OFFICE account,” said the email.

Customers have criticised Office for failing to provide any information on the website, seeing it as an attempt to play down the breach. At the time of publication, the website still didn’t display a notice, while the firm’s press office refused to provide any information not already included in the official statement.

“The protection of customer data is of the utmost importance to us and we are treating this extremely seriously,” said CEO Brian McCluskey. “Our customers remain our number one priority and we are taking all necessary measures to ensure that our website remains secure.”

Meanwhile, the email claimed that the company has “taken the necessary measures” to secure customer data. These statements seem to contradict the fact that such important information was left unencrypted.

Although the attack doesn’t immediately threaten customer credit cards or PayPal accounts, the data could be used for unsolicited marketing and phishing attempts, so Office customers with older accounts are advised to be extra careful online in the coming months.

“Given how prevalent such hacks are becoming I think brands need to offer assurances about the measures they take to protect customer data,” commented Charles Sweeney, CEO of security company Bloxx. “The success of ecommerce is based on consumers trusting the site that they are transacting with and companies are on the verge of that trust being eroded. Once it is gone it will be very hard to get back.”

How well do you know network security? Try our quiz and find out!