A cyber-attack has compromised the personal data of up to 26,000 Debenhams customers. The breach, which is understood to have been malware-based, targeted the online portal for the retailer’s florist arm, Debenhams Flowers. IT security experts from Cylance, Imperva and Kaspersky Lab commented below.
Anton Grashion, Managing Director Security Practice at Cylance:
“It’s an unfortunate fact of life for security teams that an organization’s data is only as secure as the weakest link in the chain, which is often smaller third-party vendor organizations. It’s absolutely critical to evaluate information security risk when choosing and onboarding a vendor, as well as to outline minimum security practices and stipulate liability in agreements with those organizations.”
Ajay Uggirala, Director at Imperva:
“Our experience show that 100% of businesses are under attack. Unfortunately, here are only two types of companies those that have been breached and those that don’t know that they have been breached yet. This breach highlights the necessity for strong vetting procedures when taking on third-party suppliers. Your company’s security is only as strong as that of your suppliers.
Debenhams have confirmed that customer payment details, names and addresses were accessed or stolen during the attack. If you think you may have been affected you should be wary of phishing attacks which may use your personal information to target you. You should also keep a close eye on your bank statements, watching out for anything unusual, or better still, tell your bank and request a new card.”
David Emm, principal security researcher at Kaspersky Lab:
“Customers that entrust private information to the care of a business should be safe in the knowledge it is kept in a secure manner. Whilst security solutions significantly mitigate the risk of a successful attack, there are also other measures businesses can take in order to provide thorough protection. These measures include running fully updated software, performing regular security audits on their website code and penetration testing their infrastructure. It’s crucial that businesses ensure that all passwords are protected using secure hashing and salting algorithms. The best way for organisations to combat cyber-attacks is by putting in place an effective cyber-security strategy before the company becomes a target.
Consumers have no control over the security of their online providers. However, they can mitigate the risk of a security breach of an online provider’s systems. We would recommend that everyone uses unique, complex passwords for all their online accounts. Many people use the same password across multiple online accounts: if their details have been exposed because one of their online providers has been compromised, they could find that other accounts are exposed too. We would also urge people to take advantage of two-factor or two-step authentication where a provider offers this.
It’s to be hoped that GDPR (General Data Protection Regulation), which comes into force in May 2018, will motivate firms to, firstly, take action to secure the customer data they hold, and secondly, to notify the ICO of breaches in a timely manner.”