ICO slammed for not fining breached shoe retailer

News by Tim Ring

The Information Commissioner's Office (ICO) has been heavily criticised for failing to fine London-based shoe retailer Office, after a hacker accessed more than a million of its customers' details and unencrypted passwords.

The ICO issued a formal warning to the high-street and online retailer on Monday, its official response to an attack the company suffered last May.

The hacker managed to access more than a million customer names, addresses and clear passwords which were being held by Office on an old server outside its core infrastructure.

In its reprimand, the ICO says the breach “highlighted hugely important areas of data protection”.

It discovered that Office had given its staff no formal data protection training, and the company's public-facing privacy policy contained no specific reference to retention periods.

Only a single penetration test was completed on the old database, and the results were not recorded because the legacy system was in the process of being decommissioned.

The ICO said: “The hacker bypassed technical measures the company had put in place and the incident went undetected.”

Group manager Sally-Anne Poole added: “This incident could potentially have given the hacker access to numerous accounts that the clients held with other organisations, as passwords were included on the database in question.”

Despite that, the ICO stopped short of levying a fine, saying no bank details were compromised and Office has “signed an undertaking to ensure issues around the data breach are resolved”.

The watchdog has been strongly criticised for its stance by leading UK cyber-security experts.

Amar Singh, chair of the ISACA UK Security Advisory Group, said he was “nothing short of astounded”.

He told SCMagazineUK.com by email: “To me, the complete lack of training at an organisation the size of Office  demonstrates utter disregard and carelessness toward customers' privacy and regulations - some would say what regulations?

“To add to this, the ICO's response may only add to the current state of lethargy and outright laziness amongst organisations. A stronger response would have sent the right message, that if you have blatant disregard for personal information you will be punished!”

Mark James, security specialist at ESET, was similarly unimpressed telling SC: “If they did something wrong, then the only means of punishment available is a fine. Being warned won't achieve anything. It won't make the directors or shareholders stand up and take notice, so ultimately it will achieve nothing.

“There have been thousands of breaches over the last few years. So fear of being next, or the damage it does from a PR point of view, is not causing companies to make changes. Realistically the only punishment should be a fine.”

The ICO was contacted by SC but declined to make any further comment. In its announcement, it said: “Office has already decommissioned the servers in question and implemented a new hosting infrastructure.”

Brian McCluskey, CEO of Office, told SC via email: “Office took this breach extremely seriously as our customers are our number one priority and our e-commerce offering is an important part of our trading platform.”

McCluskey said that since May, Office has led an extensive enquiry into the breach, working in close consultation with the ICO.

He added: “I can confirm that Office has now taken steps to further strengthen its online security measures, in line with guidance from the ICO and the requirements of the UK Data Protection Act, to safeguard customer data. The ICO has confirmed that it will not be taking any further action on this matter.”

But Singh commented: “The CEO of Office appears to pacify the ICO by saying the breach is not that severe because there were no bank details stolen. The rest of the stolen attributes are deemed almost secondary - names, emails, passwords and contact details of one million customers.”

Singh also highlighted “...something I see over and over again - the appetite or lack of, to do the right thing.

“Many, if not all organisations, are very likely in similar situations – new shiny systems are up and running but hidden somewhere are legacy systems and databases that have been forgotten about because, as in this case, there was no-one willing or able to do the right thing and ensure that all loose ends are tied up.”

Office was launched in London in 1981 and has more than 150 retail outlets under different brand names, including concessions in Selfridges, Topshop, House of Fraser & Harvey Nichols. As well as the UK, the company has outlets in Ireland, the US and Germany.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews