BBC Newsbeat reported just over an hour ago that high street retailer, Office, have admitted that their website was the victim of a security breach. Commenting on this, Brendan Rizzo, technical director at encryption specialist Voltage Security, said:
"Office has stated that financial data has not been compromised in this breach, but stopped short of disclosing what personal customer information was actually left unprotected. Most retailers do collect personal information on their customers such as their addresses, identification numbers and dates of birth. If left unprotected, this information would give the attackers almost all of the information they need to undertake fraudulent activity on the a compromised user's behalf.
This breach highlights a need for companies to place tighter controls on how their customers' sensitive information is stored and protected. If data is left unprotected, it's not a matter of "if" it will be compromised - it's a matter of "when". Even the best security systems in the world cannot keep attackers away from sensitive data in all circumstances. When a company is storing sensitive information about their customers, the risk is to the data itself. Therefore, a company needs to assume that all other security measures may fail, and the data itself must be a primary focus for protection - usually via encryption. It is critical to note that this protection needs to include all potentially sensitive information and not just financial related data.
If Office had employed format-preserving encryption to protect the data itself, the attackers would have ended up with unusable encrypted data instead of the current outcome where an untold amount of their customers' personal information is now in the hands of cyber criminals."