Many Lakeland customers will have received an email yesterday (23rd July 2013) informing them of an attack on the companies computer systems.
These are important notices that you should read.
Our thirst for a quick and convenient online shopping seems to be insatiable. There are so many websites on which we either make one-off purchases or set up accounts.
We often concentrate on the big players, like Sony and Amazon, as these absorb larger funds from us.
However, all our dealings online should be dealt with equally. The smaller sites are at least as risky as the larger ones. It is true that they are a less inviting target to hackers but the downside of that is they frequently have significantly reduced security or are mor vulnerable to well developed attacks.
Whether you made one purchase, maybe years ago, or are on the site every day you should ensure you are using sites securely yourself.
It is good to see Lakeland making a quick announcement. Examining the email shows that the attack occurred on the 19th July, some four days prior. But there are understandable reasons for that delay.
Investigating such attacks takes time. Many systems and logs need to be checked and verified, as well as the databases themselves. If the attack is huge in scale, that can help the attacker hide their true target and make diagnostics time consuming.
Lakeland indicate that the attack damaged the computer environment that holds their data. Most companies would try to start three strands of remediation simultaneously.
- Stop the attack
- Identify and repair any damage
- Identify any data breach
They have identified the vulnerability that was leveraged by the attacker, related to a flaw in Java. Java is well known for its poor security model and is often a door through which attackers can force entry. Alas, its flexibility still makes it popular for web services, even e-commerce websites.
Lakeland appear to have taken a suitable approach and it is no surprise that they are unsure that a data breach has occurred, but they have taken the step to ask all users to change their passwords.
They state that the database was encrypted and that this is a precautionary step, but it is necessary in my opinion.
Also they continue to strive to improve their system security. Perhaps they’ll review their use of Java?
As a consumer, you can’t stop these attacks on your ‘vendors’ but you can still take some small steps.
The best is to ensure you do not re-use passwords. Use a different password on every site. Obviously that would lead to dozens, if not thousands of passwords. Thus you’ll need a password manger. I recommend mSecure or KeePass. Both are offline, the passwords are stored on you phone, tablet or computer. Of course, they themselves need to be protected by a password. This needs to be a very secure password – which you will need to remember.
There are online password managers, such as LastPass, and these can be very effective. I personally prefer to reduce my online footprint slightly and store the passwords myself (as above). There is a very very small risk with using an online password store – it could be attacked itself.