Suspends Website after Customers See other Shoppers’ Details

By   ISBuzz Team
Writer , Information Security Buzz | Nov 08, 2015 07:00 pm PST

Marks & Spencer was forced to suspend its website after customers were able to see other people’s details when they logged in to their accounts. Customers posted messages on the high street chain’s Facebook page to say they could see other people’s orders and payment details when they logged into their accounts. The firm said no customer’s details were compromised by the “technical difficulties”.

IT Security experts explain what this could mean for customers and what companies should do to prevent such glitches.

Jonathan Sander, VP of Product Strategy at Lieberman Software :

  • What can go wrong even without hackers involved? What should companies do to prevent details being released in such glitches?

“Issues like the one M&S experienced are a classic example of why quality assurance testing is so important. The M&S issue will be lumped in with data breaches and privacy, but I’m betting that’s not where it belongs. It’s likely simply some coding errors which have had a privacy impact. This is the kind of thing that only extensive, detailed test plans that are well executed will uncover.”

  • Is this just providing cybercriminals details on a plate and can they exploit this glitch further?

“Without understanding the exact nature of the flaw, it’s hard to say if bad guys could use it to gain some advantage. One thing that is sure is that given the thorough, automated approaches that today’s attackers use, if it was something that could be exploited it may already have been.”

  • How important is website security?

“As more business is done on websites and they get stuffed full of juicy bits of data used to fuel those transactions, websites will become a more serious target. Websites have always been a target because they were out in the open and easy to attack, and they have suffered from many well-known, easily exploited flaws, e.g. cross site scripting and SQL injection. In the past, though, the goal of attacking a website was often similar to the goal of graffiti. Online shopping, online banking, online everything important in our lives have changed the stakes of the game.”

  • Are customers aware of privacy issues?

 “Consumer awareness of privacy and security is a mixed bag. Some are tuned into every move governments and corporations make and take their responsibility to secure their data seriously – and expect websites to do the same. Others are the people who post silly paragraphs about privacy on their Facebook status thinking that will somehow override the long, complicated legal agreements they clicked “I AGREE” on without reading. It’s fair to say that awareness is high, but understanding is low.”

Mark James, Security Specialist at IT Security Firm ESET :

  • What can go wrong even without hackers involved?

“Managing and expanding systems is not an easy task, daily work is needed to keep your systems working at optimal levels and this can lead to hiccups or “technical difficulties” when presenting this data to those that need it.

Planning and testing is the only way to ensure these do not cause serious problems but even this won’t stop any issues 100% so having a clear back up plan ready for when things go wrong should always be considered.”

  • Is this just providing cybercriminals details on a plate and can they exploit this glitch further?

“It’s quite possible that more data may have been available but how much is too much? Surely even a small snippet of private data accessible by someone who should not see it is too much and questions need to be asked both internally at M&S and externally by the public affected to ensure this is stopped from ever happening again. It’s one thing to lose your details through a sophisticated data breach but for a company to just give them away is just not acceptable.

  • How important is website security?

“In this time of seemingly daily occurrences of cyber-attacks it’s important for the public to have a perception of companies doing all they can to combat this. Whilst this particular event was not “hacking” related an awful lot of users’ first thoughts would have been that their accounts were hacked.

It’s much harder for a company to regain that trust even if no hacking had actually taken place. This is a classic example of that, the average user will be unable to clearly separate “technical difficulties” and breached or hacked accounts because they often go hand in hand when these events are disclosed.”

  • Are customers aware of privacy issues?

“It’s definitely more of a discussed subject these days. In this modern digital age virtually everything we do involves handing over details of our private lives in some form or another to be stored on someone else’s hardware using someone else’s security to protect it.

But being aware and being careful are two very different things, we need to take ownership of security problems. Whilst it is down to the companies that get hacked to protect our data it’s also down to us to not make it so easy to use that data elsewhere.”

  • What should companies do to prevent details being released in such glitches?

“Of course companies never plan to have any public data visible to anyone who should not see it and cannot guarantee to be 100% secure but having procedures in place to monitor, resolve and rectify any such events should always be in the background ready to be put in action.

Using professional outside help should always be considered as the biggest part of stopping such problems is understanding how they can happen in the first place. Regular system testing should always be performed to hopefully find and stop any such occurrence.”

[su_box title=”About Lieberman Software” style=”noise” box_color=”#336588″]Lieberman SoftwareLieberman Software proactively stops cyber attacks that bypass conventional enterprise defenses and penetrate the network perimeter. The company provides award-winning privilege management and security management products to more than 1,400 customers worldwide, including nearly half of the US Fortune 50. By automatically securing privileged access – both on-premises and in the cloud – Lieberman Software controls access to systems with sensitive data, and defends against malicious insiders, zero day attacks and other advanced cyber threats. Lieberman Software is headquartered in Los Angeles, CA, with offices and channel partners located around the world.[/su_box]

[su_box title=”About ESET” style=”noise” box_color=”#336588″]ESETESET is a pioneer of proactive protection against cyber threats with its award-winning NOD32 technology. Daily, it protects over 100 million computers, laptops, smartphones, tablets and servers, no matter the operating system. ESET solutions for home and business segment deliver a continual and consistent level of protection against a vast array of existing and emerging threats.[/su_box]

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x