That’s what happened to Office, the high street and online shoe retailer and over one million of its customers, when an unencrypted database due for decommissioning was hacked.
Fortunately, it does not appear that customers’ information (which consisted of contact details and website passwords) was used any further.
However, Office received a warning from the Information Commissioner’s Office and has signed an undertaking to confirm the action it intends to take to resolve the issues highlighted by the breach, including regular website security testing, the introduction of a new data retention and disposal policy and training for all its employees.
The Information Commissioner’s Office said “The breach has highlighted two hugely important areas of data protection: the unnecessary storage of older personal data and the lack of security to protect data. All data is vulnerable even when in the process of being deleted, and Office should have had stringent measures in place regardless of the server or system used. The need and purpose for retaining personal data should also be assessed regularly, to ensure the information is not being kept for longer than required.“