Shoe retailer Office escapes ICO fine despite serious data breach

One million customers compromised in 2014 hack

High street shoe retailer Office has escaped being fined by the Information Commissioner (ICO) after a security breach sometime in the months before May 2014 compromised the personal details of one million customers.

The breach happened after a hacker gained access to an older unencrypted database of customers up to August 2013 held on a parked server, which contained names, addresses, phone numbers, email addresses and website passwords.

Office put forward a web of arguments to explain its failure to secure the data. The firm said it had put in place "several technical measures" to protect the server and had even carried out a penetration test to check on their effectiveness, the result of which was not recorded because the database was being decommissioned.

The firm had also intended to remove recognisable customer data from the database but decided against that option because it might add complexity, disruption and downtime, it said.

Office did admit it had no formal policy on data retention and had not trained staff on data protection. This implies that the database might have sat in its decommissioned but vulnerable state for some time, or even indefinitely.

"The breach has highlighted two hugely important areas of data protection: the unnecessary storage of older personal data and the lack of security to protect data," said ICO group manager, Sally-Anne Poole.

"All data is vulnerable even when in the process of being deleted, and Office should have had stringent measures in place regardless of the server or system used.

"The need and purpose for retaining personal data should also be assessed regularly, to ensure the information is not being kept for longer than required."

Given the scale of the breach - one million is a substantial number of customer records for any retail hack - the fact that the ICO hasn't fined the firm is surprising.

According to Poole, the information didn't appear to have been abused after the hack and didn't involve financial data. This is strained ogic. If the data was non-financial it is hard to know how the ICO can be sure it wasn't abused as this might not become apparent for some time.

As for the fact that financial data was not involved, it could be argued this is beside the point. Customer data such as name, address, phone numbers and passwords are of critical importance to the individuals concerned, far more so than financial data that would be covered by Office's liability for any loss anyway.

Office has signed an undertaking to address the data protection issues raised by the incident.

Office will think itself lucky to escape without a fine. Last July, travel firm Think W3 Limited was hit with a £150,000 fine for a breach involving around a million customers. That incident involved several hundred thousand valid credit card details which cllearly counted against the firm.

In 2010, Shoe was sold to private equity company Silverfleet Capital by Scottish entrepreneur Sir Tom Hunter for a reported £150 million. Its current owners are believed to be preparing the retailer for a stock market flotation.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssecuritysoftware

More about ICO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts