Feeds

UK pots 'n' pans outfit Lakeland scalded by hack attack

Saucepan Man rattled. Password reset applied

Protecting against web application threats using SSL

UK homeware retailer Lakeland is asking its customers to change their passwords as a precaution following a hack attack that allowed cybercrooks to reach two of its encrypted databases.

Lakeland sent an email to customers late on Tuesday admitting the breach, and informing them that it was resetting passwords. Users will be obliged to create a new password the next time they log in or try to shop with the retailer. The breach, which Lakeland detected last Friday (19 July), involved two encrypted databases. In a statement on its website, Lakeland admits it doesn't yet know if any data was actually stolen, though it's fair to point out that it's only days into a breach investigation and any computer forensics work takes time to do properly.

Late on Friday July 19th we discovered that the Lakeland website was being attacked by hackers in a sophisticated and sustained attack. Immediate action was taken to block the attack, repair the system and to investigate the damage done and this investigation continues.

Today it has become clear that two encrypted databases were accessed, though we've not been able to find any evidence that the data has been stolen. However, we have decided that it is safest to delete all the customer passwords used on our site and invite customers to reset their passwords. Next time you log in to your Lakeland account you will be asked to reset your password and provide a new one. It is not necessary to do this straight away, just the next time you want to use the account.

We also advise, as a precaution, that if you use the same password on any other account/s, you should change the passwords on these accounts as soon as possible. We do not know for certain that the hackers succeeded in stealing data, however since there is a theoretical risk and because it is our policy to be open and honest with our customers, we are being proactive in alerting you.

Lakeland apologised to its customers for any inconvenience caused by the security flap, which only affects its online punters and not its store or mail order clients. Its statement goes on to blame the hack on a sophisticated assault against a "recently identified flaw" in an unspecified system.

Lakeland had been subjected to a sophisticated cyber-attack using a very recently identified flaw in the system used by the servers running our website, and indeed numerous websites around the world. This flaw was used to gain unauthorised access to the Lakeland web system and data. Hacking the Lakeland site has taken a concerted effort and considerable skill. We only wish that those responsible used their talent for good rather than criminal ends.

As things stand, Lakeland customers can be forgiven for being unsure whether their personal and financial data has been compromised. Lakeland's statement omits common reassurances that payment systems were unaffected, although it offered some reassurance in an update to its official Twitter account stating "we have no evidence that any card data has been compromised" it hasn't said whether or not the encrypted databases that got hit contained payment information.

Dodi Glenn, director of security content management at ThreatTrack Security, commented: “It is common practice to purge passwords in the event someone suspects a compromise of their database. While customers may be alarmed as is natural in these circumstances, Lakeland should work with the authorities to identify what information was leaked. Customers should have the right to know if their credit card numbers were stolen. Lakeland and others should take note that being proactive instead of reactive is the best approach, because brand reputation is priceless.”

A blog post on the breach by ThreatTrack Security, containing a copy of the email sent to Lakeland customers, can be found here. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.