Shoe retailer Office warned on data breach

Office shoe shop on Oxford Street
Image caption The breach happened in May and saw an old server attacked

The Information Commissioner's Office (ICO) has warned High Street and online shoe retailer Office to clean up its act after a data breach exposed more than one million customer details.

The breach in May left the personal data of customers exposed, although no financial information was compromised.

Office has promised to ensure the issues that led to the data breach are resolved.

But it raises questions about how and why retailers store data.

In May, the ICO was informed that a member of the public had hacked into an unencrypted historical Office database that was being stored on a server outside the core infrastructure of the retailer's current website.

From there, the individual gained access to the personal data of more than one million Office customers, including contact details and website passwords.

Same password

"The breach has highlighted two hugely important areas of data protection - the unnecessary storage of older personal data and the lack of security to protect data," said ICO enforcement group manager Sally-Anne Poole.

"All data is vulnerable even when in the process of being deleted, and Office should have had stringent measures in place regardless of the server or system used.

"The need and purpose for retaining personal data should also be assessed regularly, to ensure the information is not being kept for longer than required."

There is no evidence that the information accessed has been further disclosed or otherwise used.

But the hack highlights the potential problems involved in having the same password for all online accounts.

"This one incident could potentially have given the hacker access to numerous accounts that the clients held with other organisations, as passwords were included on the database in question," said Ms Poole.

"It's important to use a unique, strong password for each separate account; preferably a combination of numbers and letters - not a name or dictionary word."

Brian McCluskey, chief executive of Office Holdings, has agreed to a series of measures including:

  • frequent testing of the systems it uses
  • new data protection policies
  • formal data protection training for all employees
  • ensuring that data is only retained for as long as necessary in relation to the purposes of processing

In response to the enquiry he said "Office took this breach extremely seriously as our customers are our number one priority and our e-commence offering is an important part of our trading platform."

More on this story