M&S website leak details

It’s not been a very good week for British companies has it?

First, there was TalkTalk, then there was British Gas, and now we have Marks & Spencer.

What do they all have in common?

They’ve all been leaking data in one way or another.

In the case of TalkTalk, it was definitley a breach, possibly initiated by a 15-year-old Irish lad. With British Gas, the cause is not so clear – it may have been a hack, or the dump published on Pastebin may have been a collection of data acquired via a long-running phishing campaign.

As for M&S, the cause appears to be internal.

M&S-data-leak

After customers began complaining that they could see each others’ details when they logged into their accounts, the firm temporarily suspended its website, though it is now back online.

Taking to the company’s Facebook page, customers had informed the retailer that they could not only see other customers’ orders, but their payment details too. The issue seemed to be tied to customers signing up for Marks & Spencer’s new members club and card scheme called “Sparks.”

One customer, Konstantinos Vlassis, said:

“Interesting, I just created an M&S account to register my new Sparks card and out of a sudden I’m logged in to someone else’s account!

M&S this is in breach of privacy and data security. I can see personal addresses, past orders and info of another account holder and I assume they can see mine? I can message you screen grabs if you want but this is not good security!”

Other Facebook fans of the firm chipped in with similar comments, prompting administrators to take the M&S website down for around two hours.

After a quick investigation, Marks & Spencer said the data leakage was due to an internal error rather than an attack, confirming that no financial data had been taken. It did, however, also confirm that personal information, including names, addresses, dates of birth, contacts and previous orders had been exposed for a time.

A spokesperson for the company said the glitch had affected around 800 of its customers and apologised for the inconvenience, adding that it would be writing to all of those affected to assure them their financial details remained secure.

Commenting on the latest of several high-profile breaches affecting UK companies, Tim Erlin, Director of Security and Product Management at Tripwire said:

“Hackers aren’t the only cause of data breaches. Errors in website code can accidently disclose customer data, either as individual details or in bulk. The loss of physical devices, like laptops, can result in a data breach as well.

Websites that accept, process and use customer data continue to be targets for attackers. Even when data is encrypted behind the scenes, if the website can access and display that data, then there’s an avenue to attempt malicious access.

Organizations have to take a multi-layered approach to security. There’s no single solution that protects sensitive data. Security must span everything from hardened configurations of webservers to encrypted databases, and even employee awareness training.

The increased attention to data breaches in the media has sensitized customers to the issues involved. The average consumer is simply more aware of their own sensitive data these days.”

How aware are you of data breaches? Are you careful about which sites you trust with your data?

And have you checked whether your personal information has already been compromised at Troy Hunt’s excellent Have I Been Pwned site?