Lakeland resets passwords after security breach
- 24 July 2013
- From the section Technology
Homeware retailer Lakeland has warned shoppers who have used its website that their details may have been compromised.
The firm said that two of its encrypted databases were accessed during a cyber-attack, although it was not clear if any data was stolen.
It added that it had reset all customers' passwords as a precaution.
The Cumbria-based company blamed a problem in Java-based software for having made it vulnerable.
"Lakeland had been subjected to a sophisticated cyber-attack using a very recently identified flaw in the Java software used by the servers running our website, and indeed numerous websites around the world," said its managing director Sam Rayner.
"This flaw was used to gain unauthorised access to the Lakeland web system and data."
He added that his firm first became aware of the incident on Friday and that it had happened despite "best efforts" to "use the best security systems available".
A spokeswoman added that Lakeland intended to be "open and honest" with customers about the incident and that its teams had worked "around the clock" to identify and block the problem.
However, she was unable to say what information had been contained in the attacked databases and what type of encryption had been used to protect it.
Nor was she able to say whether the firm's IT provider - whom she would not name - had installed an up-to-date version of Java on its computers.
Lakeland added that it planned to give the police details about the investigation carried out by its own security experts who had advised it not to make further information public at this point.
Java-developer Oracle has faced criticism about its efforts to address vulnerabilities in the platform - although it noted in May that recent patches had featured a "historically high number of security fixes" and that it had removed plug-ins from the version of the software used on servers to reduce the risk of attack.
However, it appears this latest incident might be more to do with a flaw in a program written using Java rather than a problem with the platform itself.
One security researcher said the incident should act as a "wake-up call" to other firms using Java-based software on their back-end systems.
"Almost always when you hear warnings about Java it is about an outdated version of the web browser plug-in making the computer vulnerable to exploits coming from hacked websites - that's not what happened here," said Mikko Hypponen, chief research officer at F-Secure.
"Here they were running Java on the server side which was somehow remotely breached, this is a much rarer way of attacking systems.
He added that it would be helpful if Lakeland could provide more details of what had happened so that others could learn from the attack.