UK home shopping pioneers Lakeland have sent an email to all customers past and present to warn them that the retailers website has been hacked. What Managing Director Sam Rayner calls a "sophisticated and sustained attack" took place late on Friday 19th July. Measures were taken at the time to block that attack and repair the system, however the ongoing investigation has revealed that two encrypted databases were compromised.
In that email to customers, Rayner states that the company has been "unable to find any evidence that the data has been stolen" but nonetheless has taken immediate action to delete all customer passwords used on the site. Customers logging in will be required to choose a new password.
Although further details are scarce at this point in time beyond the hack using "a very recently identified flaw in the Java software used by the servers", Lakeland is to be applauded for a timely and honest disclosure of the breach. Rayner calls this a "policy to be open and honest with our customers" and although he continues to state that it is not known for certain that the hackers succeeded in stealing data Rayner does wisely admit that there is a 'theoretical risk' and as such think it best to be "proactive in alerting" customers. Obviously there is some careful wording being used here to try and mitigate any brand damage, and I'm no great fan of the whole 'potential/theoretical' language approach when disclosing such attacks (let's be honest, the chances are pretty high that those databases have been harvested), but kudos to Lakeland for doing the right thing in letting customers know as soon as possible.
What we don't know at the moment is the exact nature of the databases concerned, although the resetting of passwords would suggest that they contain customer and login data. We don't know the exact nature of the encryption either, other than the databases were encrypted, and questions such as whether the hashes were salted or not remain unanswered for now.
What we do know is that the Lakeland advice is spot on when Rayner advises "as a precaution... if you use the same password on any other account/s, you should change the passwords on these accounts as soon as possible".
Indeed, I would go so far as to say that perhaps the single most important step you can take to protect your data, given the number of high profile database breaches that happened over the last year, is to never reuse a password on multiple sites. Every password should be unique, and every password should be complex and strong. Use a password manager to both protect these in an encrypted database and make remembering them a no-brainer. Anything less is, quite frankly, asking for trouble...