Brabantia bins customer passwords as it admits data breach
In a letter published on its website, it admitted the customer database had been “subject to unauthorised access”.
Some customer details may have been stolen. It didn't reveal exactly what information it holds on customers – for example, whether it was just email addresses or postal addresses as well – but it was clear that credit card information was not included.
“Brabantia does not receive or store banking numbers, credit card numbers or other financial data. All our payments are handled by an external company that is completely separated from our own systems,” it said in a statement.
However, as a precaution it has cancelled customer account passwords which means customers will have to create a new password to access their accounts.
Sophos said in its NakedSecurity blog that unencrypted files are one of its seven deadly IT Sins. “We don't know how intruders got into Brabantia's database or exactly what they accessed, but we do know that all data that's considered sensitive or important should be strongly encrypted as a matter of routine when immediate access isn't required,” wrote Lisa Vaas on the blog.
However, given that the critical data – namely, credit card information – was handled by a third-party with expertise in online security, it's debatable how serious this breach really was, according to “Markus” who left a comment on the blog.
“They did the right thing by outsourcing the really critical data like credit card numbers, so a company which handles this type of data for a living can take appropriate security measure,” he said.