M&S suspends website activity in latest tech woe to befall a major brand

M&S suspends website activity as cyber breach concerns reach tipping point

Marks & Spencer was forced to suspend activity on its website on Tuesday evening following reports that sensitive customer data was being revealed to other users when logged-in to personal shopping accounts.

The website was taken offline for roughly two hours while technical teams rushed to fix what the firm described as a “technical issue”.

An M&S spokesperson told V3: “Due to a technical issue we temporarily suspended our website yesterday evening. This allowed us to thoroughly investigate and resolve the issue and quickly restore service for our customers. We apologise to customers for any inconvenience caused.”

It is not thought that the incident is a result of hacking activity, but a number of M&S customers took to social media to complain.

One customer, Zoë Reed, writing on the M&S Facebook page, said that she had encountered a problem with loyalty points and claimed that another user’s credit card details were openly visible.

“At one point last night my account, when I managed to log in, [had] 277,000 loyalty points. They say that customer’s bank details were not compromised, but I could see the lady’s card details in full,” she said.

Another customer, Mandy Green, wrote: “I logged-on to my account earlier this evening and was able to see details of another person’s account. I logged out again immediately. I then tried to log-in again and this time I could see someone else’s account details.”

The incident is just the latest major issue to befall a major brand online and Phil Barnett, vice president of global sales at Good Technology, said it seems many firms are “flying blind” when it comes to online security.

“It’s almost a daily occurrence to have high street names being breached. If you haven’t put measures in place, customer data is very exposed and you look irresponsible,” he told V3.

Jonathan Sander, vice president of product strategy at Lieberman Software, agreed and said the M&S problems show why quality assurance testing on websites is vital.

“The M&S issue will be lumped in with data breaches and privacy, but I’m betting that’s not where it belongs. It’s likely to be simply some coding errors which have had a privacy impact. This is the kind of thing that only extensive, detailed test plans that are well executed will uncover,” he told V3.

“Without understanding the exact nature of the flaw, it’s hard to say if the bad guys could use it to gain some advantage. One thing for sure is that, given the thorough, automated approaches that today’s attackers use, if it was something that could be exploited it may already have been.”

Personal data is big business

password log in

The news follows a significant data breach at mobile and internet provider TalkTalk, which is said to have affected up to four million customers after names, addresses and partial credit card numbers were exposed.

Even if hackers are not actively targeting a website’s defences, a technical glitch can still be exploited as personal data becomes increasingly valuable in the wrong hands.

The Office for National Statistics revealed that more than seven million cyber crimes are committed every year in the UK, often using personal details stolen during attacks or data breaches.

As a result, the sale of personal information online has become a lucrative business. Recent research by Intel Security suggested that stolen identities on the dark web can be bought for as little as £12.

As such busineses, especially those operating in the consumer sphere, such as retail, should carry out all the necessary security measures to stop this happen, as Mark James, security specialist at ESET, told V3.

“Managing and expanding systems is not an easy task. Daily work is needed to keep your systems working at optimal levels and this can lead to hiccups or ‘technical difficulties’ when presenting this data to those that need it,” he said.

“It’s one thing to lose your details through a sophisticated data breach, but for a company to just give them away is not acceptable.”

Given these risks, and the fact a firm can itself accidentally leak data, it is important to know how to react if a breach occurs.

One way to do this is to adopt rigorous cyber incident plans that demonstrate exactly how to respond to a cyber attack, according to Jeremy King, international director of the PCI Security Standards Council.

“You get the phone call and it says you’ve been breached. It can come from law enforcement, it can come from banks, and that’s the first you know that your world is about to end,” he said.

“[The call] can come at any time and on any day, and at that point there will be a list of things to do: talk to the bank, talk to law enforcement, talk to customers. CISOs have no idea how big the breach is or what data has been stolen, so having an incident security plan is critical.”

He also suggested the firms should be strict about the data they collect and keep, because often firms create unnecessary risks for themselves.

“Companies store far too much data. Our message from day one has been if you don’t need it don’t store it. Just get rid of it. Organisations have now got to start looking at all of their data with that mindset,” he said.

M&S and TalkTalk are not the only businesses to suffer recent online woes. High street chain WHSmith was left in disarray in September after a website flaw caused sensitive customer data, including names, addresses and phone numbers, to be emailed to other website users.

And while website glitches are usually discovered and fixed quickly, it is clear that even a small data breach can have major consequences.

If the article suppose to have a video or a photo gallery and it does not appear on your screen, please Click Here

28 October 2015 | 4:21 pm – Source: v3.co.uk


Leave a Reply

Your email address will not be published.