Shoe retailer Office has been reprimanded by the the Information Commissioner’s Office after the personal data of over one million customers was left exposed due to a hacking incident.
The hacker managed to gain the potential to access customers’ contact details and website passwords via an unencrypted database that was due to be decommissioned. The hacker bypassed other technical measures the company had put in place and the incident went undetected.
Since the hack, Office has signed an undertaking to ensure issues around the data breach are resolved.
ICO Enforcement Group Manager, Sally-Anne Poole, said: “The breach has highlighted two hugely important areas of data protection: the unnecessary storage of older personal data and the lack of security to protect data.”
Poole used the breach to highlight that all data is vulnerable even when in the process of being deleted. She added: “Office should have had stringent measures in place regardless of the server or system used. The need and purpose for retaining personal data should also be assessed regularly, to ensure the information is not being kept for longer than required. Fortunately, in this case there is no evidence to suggest that the information has been used any further and the company did not store any bank details.”