So who will be the Next company to have data breach?September 13th, 2012 • 1 Comment
You may remember that last week we told you about a little birdie who had told us about potential data breaches at a FTSE 100 online retailer. You may also remember that, in the same article, we mentioned FTSE 100 online retailer Next, official Team GB clothier.
But we did not drop the bone there. After receiving confirmation from our source that the company in question was, in fact, Next, and receiving some additional information on data servers and web vulnerabilities we investigated it further- after all dear Bitterwallet readers, you are consumers, and when consumer data is at risk, that might affect you. And we care. Deeply.
So we contacted web security expert Troy Hunt, who was the guy who broke the Tesco data breach story last month. We gave him our information and asked him what he could find. He is also a very helpful, and knowledgeable, man.
He told us that 90% of big businesses will have some serious vulnerability of some description or another, leading us to conclude that, in all likelihood, there are weaknesses in Next’s systems. However, Troy stressed that being able to find an exploit any weakness was not necessarily the same thing. He explained that he wouldn’t necessarily expect the customer data storage servers we had been given to be encrypted, although this would mean access to these databases should be limited. Without further information he was unable to get through to the data from outside the company. He also checked the Next website and found no basic security flaws.
But our source was insistent that there was an issue, so we asked Next to tell us about their data protection and if there were any issues. They did not respond. So we told them we believe hundreds of staff have access to 6.5m customers’ personal data, and that these details can be downloaded by staff without trace. We also informed them that our source claimed he could expose serious security flaws in the retail website and a lax corporate attitude to customer data protection.
Next refused to refute our claims, giving us no option but to conclude that we might be right. To be fair to Next, however, they also refused to deny they were a member of the Beider-Meinhof gang*. Either way, if they are guilty of a little slip, or a more serious breach with your data, we can only hope that our digging around has encouraged them to look at things more closely, so that data will be better protected in future.
*this is a Hot Metal reference. Obviously.
So what you’re saying is that they may or may not have one or more security concerns, but one thing they do have going for them is that their staff aren’t stupid enough to reveal details about their infrastructure to any random twat who call’s up asking for it?