Shoe retailer Office escapes ICO fine despite serious data breach

21.01.2015
High street shoe retailer Office has escaped being fined by the Information Commissioner (ICO) after a security breach sometime in the months before May 2014 compromised the personal details of one million customers.

The breach happened after a hacker gained access to an older unencrypted database of customers up to August 2013 held on a parked server, which contained names, addresses, phone numbers, email addresses and website passwords.

Office put forward a web of arguments to explain its failure to secure the data. The firm said it had put in place "several technical measures" to protect the server and had even carried out a penetration test to check on their effectiveness, the result of which was not recorded because the database was being decommissioned.

The firm had also intended to remove recognisable customer data from the database but decided against that option because it might add complexity, disruption and downtime, it said.

Office did admit it had no formal policy on data retention and had not trained staff on data protection. This implies that the database might have sat in its decommissioned but vulnerable state for some time, or even indefinitely.

"The breach has highlighted two hugely important areas of data protection: the unnecessary storage of older personal data and the lack of security to protect data," said ICO group manager, Sally-Anne Poole.

"All data is vulnerable even when in the process of being deleted, and Office should have had stringent measures in place regardless of the server or system used.

"The need and purpose for retaining personal data should also be assessed regularly, to ensure the information is not being kept for longer than required."

Given the scale of the breach - one million is a substantial number of customer records for any retail hack - the fact that the ICO hasn't fined the firm is surprising.

According to Poole, the information didn't appear to have been abused after the hack and didn't involve financial data. This is strained ogic. If the data was non-financial it is hard to know how the ICO can be sure it wasn't abused as this might not become apparent for some time.

As for the fact that financial data was not involved, it could be argued this is beside the point. Customer data such as name, address, phone numbers and passwords are of critical importance to the individuals concerned, far more so than financial data that would be covered by Office's liability for any loss anyway.

Office has signed an undertaking to address the data protection issues raised by the incident.

Office will think itself lucky to escape without a fine. Last July, travel firm Think W3 Limited was hit with a £150,000 fine for a breach involving around a million customers. That incident involved several hundred thousand valid credit card details which cllearly counted against the firm.

In 2010, Shoe was sold to private equity company Silverfleet Capital by Scottish entrepreneur Sir Tom Hunter for a reported £150 million. Its current owners are believed to be preparing the retailer for a stock market flotation.

(www.computerworlduk.com)

John E Dunn