1

UK home shopping pioneers Lakeland have sent an email to all customers past and present to warn them that the retailers website has been hacked. What Managing Director Sam Rayner calls a "sophisticated and sustained attack" took place late on Friday 19th July. Measures were taken at the time to block that attack and repair the system, however the ongoing investigation has revealed that two encrypted databases were compromised.

In that email to customers, Rayner states that the company has been "unable to find any evidence that the data has been stolen" but nonetheless has taken immediate action to delete all customer passwords used on the site. Customers logging in will be required to choose a new password.

cdccf491e497d5ef1ceee2a707c5f3e6

Although further details are scarce at this point in time beyond the hack using "a very recently identified flaw in the Java software used by the servers", Lakeland is to be applauded for a timely and honest disclosure of the breach. Rayner calls this a "policy to be open and honest with our customers" and although he continues to state that it is not known for certain that the hackers succeeded in stealing data Rayner does wisely admit that there is a 'theoretical risk' and as such think it best to be "proactive in alerting" customers. Obviously there is some careful wording being used here to try and mitigate any brand damage, and I'm no great fan of the whole 'potential/theoretical' language approach when disclosing such attacks (let's be honest, the chances are pretty high that those databases have been harvested), but kudos to Lakeland for doing the right thing in letting customers know as soon as possible.

What we don't know at the moment is the exact nature of the databases concerned, although the resetting of passwords would suggest that they contain customer and login data. We don't know the exact nature of the encryption either, other than the databases were encrypted, and questions such as whether the hashes were salted or not remain unanswered for now.

What we do know is that the Lakeland advice is spot on when Rayner advises "as a precaution... if you use the same password on any other account/s, you should change the passwords on these accounts as soon as possible".

Indeed, I would go so far as to say that perhaps the single most important step you can take to protect your data, given the number of high profile database breaches that happened over the last year, is to never reuse a password on multiple sites. Every password should be unique, and every password should be complex and strong. Use a password manager to both protect these in an encrypted database and make remembering them a no-brainer. Anything less is, quite frankly, asking for trouble...

Edited by happygeek: unstuck

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

2
Contributors
1
Reply
34
Views
4 Years
Discussion Span
Last Post by LastMitch
0

Indeed, I would go so far as to say that perhaps the single most important step you can take to protect your data, given the number of high profile database breaches that happened over the last year, is to never reuse a password on multiple sites. Every password should be unique, and every password should be complex and strong. Use a password manager to both protect these in an encrypted database and make remembering them a no-brainer. Anything less is, quite frankly, asking for trouble...

I couldn't agree with you more. Passwords are very hard to created and keep for a long period of time. I change my passwords few times a year. It's easy to say to create a complex and strong password but actually creating one takes time. It take me like a few hours to create one.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.