Shoe retailer Office lost details of over one million customers in hack, but escapes fine

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

OfficeRegular readers may remember that last May it was revealed that UK shoe retailer Office had suffered a significant security breach, which resulted in hackers getting their claws on customers’ names, addresses, password, phone number and other personal information.

Luckily, the company didn’t store payment data – so at least that wasn’t breached. But it’s still easy to imagine how fraudsters and internet criminals could have abused the information that did fall into the hands of the hackers.

For instance, hackers could have attempted to try using the unencrypted passwords against online accounts on other websites – as so many people make the mistake of reusing passwords. Alternatively, online criminals could have created convincing phishing emails using the personal information they had acquired from Office’s breached customer database.

Email from Office

Sign up to our free newsletter.
Security news, advice, and tips.

A report from the Information Commissioner’s Office (ICO) explains that the system accessed by the hackers contained an unencrypted historic Office database “that was being stored on a legacy server outside the core infrastructure of the current website”.

“Office has explained that removing the historic customer data from the database before migration to the new system was believed to add complexity and a material risk of data mismatches, operation downtime and customer disruption, so as to put the project at risk. However, Office has since accepted that in hindsight, the risks of removing these details before migration were less than originally thought.”

So, you may be wondering – have Office been hit with a substantial fine for its sloppy attitude to security?

The answer, it appears, is no.

The ICO’s report stops short of hitting the retailer with a fine which surely would have woken other high-street names up to the danger of not taking security seriously.

Instead, Office has committed to conducting regular penetration tests on its systems in future, and to improve its customer data retention and disposal policy.

Opinions will no doubt be divided as to whether the ICO should have stamped down on Office harder, and booted them up the backside with a fine.

They may not have socked it to them, but ICO enforcement group manager Sally-Anne Poole did have some sensible words of warning to share with other companies who might be careless with their customer information:

“All data is vulnerable even when in the process of being deleted, and Office should have had stringent measures in place regardless of the server or system used. The need and purpose for retaining personal data should also be assessed regularly to ensure that the information is not being kept for longer than required.”

Personally I think it’s a lucky escape for Office, which hardly showered itself in glory by failing to bother mentioning the hack to customer via its website front page.

In this day and age, that really shows an enormous lack of respect or care for your paying customers.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “Shoe retailer Office lost details of over one million customers in hack, but escapes fine”

  1. Coyote

    "In this day and age, that really shows an enormous lack of respect or care for your paying customers."

    And your own reputation, integrity and many other things (and this includes that the situation is less serious in (your) view and it is clear to those who know about the breach yet find nothing obvious about it without having to dig around for it). Fine, they emailed customers but what about those that had a change in email (or any number of things)? Besides, is it really that hard and that painful to be honest about it? Is it really that hard to make it very visible? It will show a lot more sincerity than not and most customers (i.e. those that aren't only looking to be critical) would have more respect for their honesty.

    In the end, I don't think they should be fined, certainly they aren't the only one and I honestly don't think it'll change much. Maybe it would and maybe it should be for more than these things. Of course, in that light, perhaps governments should start paying citizens for their sloppiness (with their confidential data)? In that case maybe the same should go for corporations when this type of thing happens (although that would be very expensive and questionable in effectiveness, it certainly is more appropriate (compensating those affected) than simply paying a fine (pay the fine to an agency that oversees (you[1]), move along until next time, that's all there is to it)).

    [1] Of course maybe it does help those affected. I don't know. But I could see it both ways.

  2. Jonas

    The most frustrating thing about this is that if this had been an NHS trust or council office, the fine would never have been in doubt. It seems the ICO is still hesitant to fine the private sector.

    The private sector wont fund proper security until there is a strong business incentive. What the ICO has done here is basically say compromising records is ok, you will get a slap on the wrists but nothing else.

    How will this convince a CISO to spend any sum of money to protect the data?

    Even the reputational harm is non-existent. This has hardly hit the news and when it does, most customers are too apathetic to really take action.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.