Marks & Spencer data compromise not a hack

M&S website closed for two hours as customers see the account details of others. Retailer says it was an internal issue, not a hack, and no financial details were disclosed.

Closing its website is like closing the doors to flagship store on Oxford Street, London
Closing its website is like closing the doors to flagship store on Oxford Street, London

High-street retailer M&S closed its website yesterday following complaints from customers that they could see the details of fellow customers when they logged into their own online accounts. 

The website was shut from 6.30pm (GMT) to 9pm last night. 

Personal data, including names, dates of birth, contacts and previous orders details of at least one other customer were viewable, but while the company says customers' full credit card details were not among the exposed information, other reports say that the last four digits of some accounts were briefly shown. 

The company says it was not an external hack but an internal problem, saying in a statement: "Due to a technical issue we temporarily suspended our website for a period last night. This allowed us to thoroughly investigate and resolve the issue and quickly restore service for our customers. We apologise to customers for any inconvenience caused."

Even though this does not appear to be an external hack, the Data Protection Act requires that data controllers implement "appropriate technical and organisational measures" to prevent the "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".  

Failure can lead to fines by the Information Commissioner's Office (ICO) of up to £500,000 – though such sums tend to be reserved for deliberate and repeated breaches. 

The ICO is reported to be aware of the incident and is making enquiries. Individuals are only able to claim compensation if they have suffered damage, such as financial loss, and even then they would need to pursue their own legal case if the company did not offer compensation.

While there is currently no legal requirement to report a breach, this would change under the proposed General Data Protection Regulation which may also be able to impose fines of up to up to five percent of global turnover or €100 million, whichever is the greater.

But for many companies it is reputational damage which is the greater incentive to ensure customer data is kept safe.

Phil Barnett, VP Global at Good Technology emailed SCMagazineUK.com to comment that recent surveys showed 90 percent of companies have been hacked, suggesting: “...anyone and everyone is a potential victim of hacks and data leaks. Marks and Spencer's proves that customer data breaches are real threats and have serious consequences.”

He added: “Data is a company's biggest asset, and as mobility becomes more ingrained across every enterprise, security must become a higher priority. When [EU regulation] GDPR is implemented in 2016, companies experiencing a data breach could face a fine of two percent of worldwide revenue, so it's not just going to be some painful interviews and a drop in share price, there's the potential of big fines for every business."

Jeremiah Grossman, founder of WhiteHat Security observed: "Vulnerabilities in websites are incredibly common, even amongst the largest brands. Many businesses are still unaware of online business risks, or have delayed taking appropriate action, which is unfortunate for them and their users. 

"According to our 2015 website security statistics report, 86 percent of 30,000 websites have at least one serious vulnerability where an attacker could compromise the system and cause serious commercial or reputational damage. And to add insult to injury, it takes an average of 193 days to remediate the vulnerabilities that are fixed – not to mention the 39 percent of flaws that are never closed.”

Grossman says the key is in identifying the security metrics that mean the most to the organisation, and focusing on those activities to fix specific vulnerabilities. He suggests that the best way to lower the average number of vulnerabilities, speed up time-to-fix and increase remediation rate is, “to feed vulnerability results back to the development teams though established bug tracking or mitigation skills. This approach makes application security front-and-centre in a development group's daily activity and creates an effective process to solve problems."

Keith Poyser, MD, EMEA of Accellion  noted in an email to SC that: "The extent of the damage in Marks & Spencer's security breach may be unknown, but what we do know is that every organisation needs to take cyber-security and data leak prevention more seriously... cyber-security is still not ingrained at every level of UK organisations' cultural mindset. That means cyber-security must reach everything and everyone, from the latest tech to even the savviest employee.”

Richard Beck, head of cyber-security at QA, agreed on the need for employee education, telling SC that: “Every day websites are hacked, or legitimate access denied via an attack, often as a smokescreen to conceal a secondary crime where sensitive data is stolen.  Awareness of the risk is growing, but as cyber-security attacks become more sophisticated, targeted and persistent, organisations must ensure that employees are fully up to date with three things.  First, timely knowledge of the threats themselves.  Second, how to minimise the risk of falling foul of these threats. Third, the agreed plan of action when disaster strikes. The majority of IT security incidents are down to human error, so educating employees will significantly reduce the chances and minimise the impact of your business becoming a victim of cyber-crime."