Office warned after details of 1m customers snatched

The online shoe retailer Office has received an official warning after the details of one million of its customers were exposed in a cyber-attack.

The hacker found the details in an unencrypted database that was located on an older server, about to be decommissioned by the firm, bypassing several defences and remaining undetected throughout the incident.

Sally-Anne Poole, enforcement group manager at the Information Commissioner’s Office (ICO), the UK data regulator, said: "All data is vulnerable even when in the process of being deleted, and Office should have had stringent measures in place regardless of the server or system used."

"The need and purpose for retaining personal data should also be assessed regularly, to ensure the information is not being kept for longer than required."

No evidence was found to suggest that the data stolen had been misused by the hacker, and no payment details were stored on the database in question, which has been taken out of use since the attack.

Brian McCluskey, chief executive of Office, confirmed penetration tests had taken place on both the new website and the old system on which the hack took place, but that the results for the latter had not been completed or recorded because it was about to be retired.

His company previously justified their decision to keep historic data on the older server to avoid downtime and information mismatches, but accepted that they may have overestimated such risks.

As part of its response to the incident, Office has agreed to conduct regulation penetration testing, implement a new data protection policy and provide relevant training for its workers.

Poole added that the incident highlighted the dangers of password re-use, saying: "This one incident could potentially have given the hacker access to numerous accounts that the clients held with other organisations, as passwords were included on the database in question."

She recommended that users choose a strong and unique password for each of their accounts, a strategy that has been questioned by some who claim it is impractical.