From April 23rd to May 10th, Asia’s largest retailer, Fast Retailing, announced a data breach that affected more than 460,000 online shoppers of its Japanese Uniqlo and GU brand websites. The company confirmed that an unauthorised login by a third party occurred on the online store, but there were no reports of information being used elsewhere.
Hackers obtained customers names, addresses and contact details, with Fast Retailing adding that partial credit card information may have been “browsed,” but that there is no possibility of leakage in credit card security codes (CVC’s). Due to new laws set by the General Data Protection Regulation (GDPR), any business that experiences a data breach must report it to the Information Commissioner’s Office (ICO) within 72 hours of discovering it. If not, they can face damaging repercussions, such as fines of up to 4% of their annual turnover.
A representative of Fast Retailing said:
“While the number of incidents and circumstances may change during the course of the investigation, Fast Retailing is today providing notice of the facts as determined at the present time, and the company’s response,”
The investigation began when customers reported strange activity on their account, which included changes to their registration information. Fast Retailing are continuing to examine the extent of the breach, but have concluded that this is a “list-type attack”, meaning hackers reused credentials that were used on, and stolen, from other sites.
Data breaches are becoming a common occurrence, especially within the retail industry, as e-commerce sites are being targeted on a daily basis by increasingly sophisticated attacks. Large, popular vendors such as Ticketmaster, FILA, Marriot, and British Airways are just a few of the numerous organisations affected by hackers over the past year, gaining considerable public attention.
Below is a graph showing the level of credential abuse that occurred throughout 2018 and 2019, highlighting the frequency of attacks and volume of comprised data. (Source: BleepingComputer):
There are a few options available to reduce the impact of a data breach, especially in relation to the safety of payment data. Best practice suggests to take any sensitive details associated with the organisation “out of scope”, removing the information away from the corporate network and environment. For customer cardholder data, this can be done using a third-party secure payment solutions provider, such as Key IVR, who offer an industry leading PCI-DSS Level 1 secure web payments platform that ensures valuable card details are processed safely and securely.