Following a security breach that was first revealed in May 2014, shoe retail chain Office has been issued with a warning by the Information Commissioner’s Office (ICO). The retailer avoided a fine despite more than one million customers’ details being exposed through a hacking incident. The ICO said there was no evidence to suggest the information accessed had been further disclosed or used. Office has confirmed that no payment card or bank details were compromised in any way.
But it could have been much worse.
Technical measures not enough
It was established that the hacker managed to access customers’ contact details and website passwords via an unencrypted database that was due to be decommissioned. The hacker bypassed technical measures the company had put in place and the incident went undetected.
The server has since been decommissioned, but the real issue remains. This incident shows that technology alone is not enough to protect sensitive data. Organisations need competent people and effective processes in order to approach data protection and information security in a coherent and effective manner.
More stringent data protection measures needed
Sally-Anne Poole, ICO enforcement group manager, said:
“The breach has highlighted two hugely important areas of data protection: The unnecessary storage of older personal data and the lack of security to protect data.”
Office has signed an undertaking to resolve the problems that led to the breach. The measures include:
- Regular penetration testing of all websites and servers.
- Updating data protection policy documents that include a retention and disposal policy for customer data.
- Providing formal data protection training to all Office employees and regular refresher training.
- Ensuring that personal data is retained only for as long as necessary, in relation to the purposes of the processing.
Where to start?
If you face similar challenges to Office, the logical step is to implement ISO 27001, the international information security management standard.
ISO 27001 meets the requirements of the majority of global privacy regulations by providing a comprehensive framework for developing and implementing an auditable information security management system (ISMS).
To get started with ISO 27001, there are numerous cost-effective options to employ. Find out more about IT Governance’s ISO 27001 packaged solutions today and protect your data.