Brabantia is a Dutch company known for making steel bins, but its database must have been a bit easier to rip into than steel, given that crooks have plucked out customer data tidbits.
The company sent customers a letter, also printed on its site, saying that routine monitoring of database accounts revealed that intruders may have compromised some “consumer details”.
The Register reports that the intrusion happened sometime between Thursday and Friday.
It’s not clear what data the intruders might have grabbed, but Brabantia said that it wasn’t financial. Nor were passwords accessed.
Heck, they don’t even store those nuggets, the company said in their letter:
Brabantia does not receive or store banking numbers, credit card numbers or other financial data. All our payments are handled by an external company that is completely separated from our own systems.
Nonetheless, Brabantia’s relegated all passwords to the trash, meaning that customers have to create new passwords if they want to get into their accounts.
According to The Register, Brabantia says it believes “the potentially vulnerable data is limited to name, email (address), and products ordered”.
We don’t know how intruders got into Brabantia’s database or exactly what they accessed, but we do know that all data that’s considered sensitive or important should be strongly encrypted as a matter of routine when immediate access isn’t required.
Let’s hope that the company who handles Brabantia’s financial data off-site is taking care of it, with good encryption that includes proper salting and hashing.
After all, if intruders can get far inside your network to get at a database, they well might be crooks looking for financial data to sell off to identity thieves and credit card scammers, and they might keep poking around until they find it!
Sophos lists unencrypted files as one of the 7 Deadly IT Sins.
Just ask companies like Target or Home Depot about how devastating data breaches can be to a company brand.
No matter how big or small the breach, and no matter if a company sells clothes, tools or steel bins, reputation and customer loyalty can suffer grievously.
Sophos has resources, including videos and whitepapers, that can help with common security sins.
Image of shredded paper in bin courtesy of Shutterstock.
Markus
I’m not sure someone could follow your advise here. You quote “the potentially vulnerable data is limited to name, email (address) and products ordered” and then in one breath mention data encryption (though for the external company).
But name, e-mail address and products ordered cannot be encrypted in any meaningful way without making the application so complicated and non-standard that it would send the cost for it through the roof. Sure, you can encrypt the file on disk, but some kind of process must be able to read the data and hackers usually hack the webinterface or database server, not the fileserver and its files.
They did the right thing by outsourcing the really critical data like credit card numbers, so a company which handles this type of data for a living can take appropriate security measure. So, why mention this incident at all, since it does not seem to be an especially critical data breach?