Office has had an official warning about the way it stores personal data after the details of more than one million customers were left exposed in a hacking incident.
The Information Commissioner’s Office (ICO) issued the warning after a hacker broke into an unencrypted Office database without being detected by the multichannel shoe retailer. The hacker bypassed technical measures the company had put in place to protect the database, which was due to be decommissioned. As a result of the attack, reported to the ICO in May 2014, the hacker could potentially have gained access to customers’ contact details and website passwords.
No evidence has emerged that the information was used further, however, and the company did not store any bank details, said Sally-Anne Poole, group manager at the ICO. She said the hacker could have used information such as passwords from the database to access accounts that clients held with other organisations.
“The breach has highlighted two hugely important areas of data protection: the unnecessary storage of older personal data and the lack of security to protect data,” said Poole. “All data is vulnerable even when in the process of being deleted, and Office should have had stringent measures in place regardless of the server or systems used. The need and purpose for retaining personal data should also be assessed regularly, to ensure the information is not being kept for longer than required.”
In the undertaking that Office was required to sign, Brian McCluskey, chief executive of Office Holdings, said the retailer had kept the historic customer data because it thought removing it would add complexity and risk data mismatches, operation downtime and customer disruption. “However, Office has since accepted that in hindsight, the risks of removing these details befor migration were less than originally thought. As such, it would appear that the retention of this historic data, some of which may now be inaccurate, was over-cautious and not strictly required.
“However, amongst other remedial measures taken by Office since the incident, the servers in question have now been decommissioned and a new hosting infrastructure is in place.”
Office has now promised to test its websites and servers regularly, and to put in place new data protection policies, training and security measures.