Shoe retailer Office signs an undertaking committing to address issues of data protection

The ICO has warned high street and online shoe retailer Office after the personal data of over one million customers was left exposed due to a hacking incident.

The hacker managed to gain the potential to access customers’ contact details and website passwords via an unencrypted database that was due to be decommissioned. The hacker bypassed other technical measures the company had put in place and the incident went undetected.

Office has signed an undertaking to ensure issues around the data breach are resolved.

Sally-Anne Poole, Group Manager at the Information Commissioner’s Office said:

“The breach has highlighted two hugely important areas of data protection: the unnecessary storage of older personal data and the lack of security to protect data.

“All data is vulnerable even when in the process of being deleted, and Office should have had stringent measures in place regardless of the server or system used. The need and purpose for retaining personal data should also be assessed regularly, to ensure the information is not being kept for longer than required.”

“Fortunately, in this case there is no evidence to suggest that the information has been used any further and the company did not store any bank details.”

The data breach also highlights the risks associated with customers using the same password for all their online accounts.

Sally-Anne Poole added:

“This one incident could potentially have given the hacker access to numerous accounts that the clients held with other organisations, as passwords were included on the database in question. It’s important to use a unique, strong password for each separate account; preferably a combination of numbers and letters – not a name or dictionary word.”

The company has committed to address the issues of data protection and has already decommissioned the servers in question and implemented a new hosting infrastructure.

 

Notes to Editors

  1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
  1. The ICO is on Twitter, Facebook and LinkedIn. Read more in the ICO blog and e-newsletter. Our Press Office page provides more information for journalists.
  2. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
  3. Fairly and lawfully processed

  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection