Shut the front door: Jewson 'fesses up to data breach

Builder's merchant tells punters their privates might be out in the cold

Installing a deadbolt drillbit in the door frame

Builders merchant Jewson has confirmed in writing to customers that their privates could have been exposed in a cyber break-in that occurred late this summer.

In a letter sent to customers – seen by The Reg – Jewson stated: "As a Jewson Direct customers, we regrettably are writing to inform you that our website (www.jewsondirect.co.uk) has suffered a security breach and, as a result, your personal data including your credit/ debit card details may have been compromised."

The digital burglary is "likely" to have taken place on 23 August but was only discovered on 3 November. The website was temporarily shuttered on learning of the breach and remains closed. The ICO was then informed of the hack on 10 November. The hackers were seemingly left undetected for weeks, plenty of scope to do all sorts of mischief.

“We are commissioning a detailed and thorough forensic investigation into the breach. The investigations of the breach are ongoing,” the missive added.

Based on the information to hand, Jewson warned that customers’ names, location, billing address, password, email, phone number, payments details, card expiry dates and CVV numbers “may” have fallen into the hands of an “unauthorised person”. Oddly, despite this, when we asked the firm, a spokeswoman told us that "no card data is stored by Jewson".

It is not known how the information was encrypted. Although we asked the organisation to clarify, a spokeswoman sent us this odd statement:

At this stage we are aware that a foreign piece of code was encrypted into the Jewson Direct (formerly Jewson Tools Direct) website. The code has been identified and removed, and we are investigating the breach of security and any related potential loss of information/personal data. No card data is stored by Jewson, however, until the investigation has been completed, customers have been informed of a potential breach of card data as an advisory measure.

We follow the Payment Card Industry Data Security Standard (PCI DSS). The Jewson Direct website has been taken offline and will not be turned back on until we are informed by independent third parties that any security issues have been corrected.

In a bid to "mitigate possible adverse effects of the breach", customers are advised to monitor their accounts. In further no-shit-Sherlook guidance, punters that spy any unusual activity or transactions they do not recognise should contact their credit or debit card provider.

The letter sent to customers vowed: “To help you monitor your personal information for certain signs of potential theft, we are offering you a complimentary 12 month memberships to Experian ProtectMyID. This service helps detect possible misuse of your personal data and provides you with identity monitoring support, focused on the [identification] and resolution of identity theft.”

Reassuring indeed. Or maybe not.

In addition to the question about how the data they had held was encrypted, The Reg also asked Jewson how many customers details were likely compromised, how the miscreant accessed the data and what subsequent steps were taken to improve security.

Concerned customers can contact Jewson's customer services help desk on 024 7660 8235.

A representative of the Information Commissioner's Office told us, "We are aware of an incident involving Jewson, and will be making enquiries." ®


Biting the hand that feeds IT © 1998–2017