Shoe retail chain Office decommissions servers after security breach

ICO says firm is making sure the issues around data breach are resolved

Shoe retail chain Office has decommissioned several of its servers that were compromised during a security breach that was first revealed in May 2014.

At the time, the company's CEO Brian McCluskey confirmed in a statement sent to Computing that the firm had been the subject of a security breach, but he emphasised that no credit card, debit card, PayPal or bank details were compromised in any way.

However, names, addresses, phone numbers, email addresses and passwords could all have been affected for accounts created before August 2013.

According to the Information Commissioner's Office (ICO), a hacker managed to get access to customers' contact details and passwords through an unencrypted database that was due to be decommissioned. The hacker also bypassed other technical measures and the incident went undetected.

The ICO said that Office had signed an undertaking to ensure issues around the data breach are resolved. It has decommissioned the servers in question and implemented a new hosting infrastructure.

According to the ICO's enforcement group manager, Sally-Anne Poole, the breach highlighted two hugely important areas of data protection: the unnecessary storage of older personal data and the lack of security measures to protect data.

Poole suggested that Office should have had stringent measures in place regardless of the server or system used, even when data is in the process of being deleted.

She said that businesses should regularly assess whether they need to retain personal data, as it shouldn't be kept for longer than required.

"Fortunately, in this case there is no evidence to suggest that the information has been used any further and the company did not store any bank details," Poole said.

The main concern for Office account holders was that their password could have been used to get in to one of their other online accounts such as their email accounts with easier access to bank details and sensitive information.

The ICO urges customers to use unique passwords for different accounts to ensure that in circumstances such as this, their other accounts aren't vulnerable.