
This is not just a data breach
This is an M&S data breach
The Information Commissioner's Office is making enquiries into Marks & Spencer's website after customers complained that they were being presented with each others' personal details while shopping. Marks & Spencer made its website temporarily unavailable last night after what it claimed was "a technical issue". The company's …
Not really. It says something about poor web design, but it's more likely a specific requirement.
"We haven't had any complaints since the new site went up. It's the same as the old site but we've removed all the "Report a problem" links...."
Overpriced trebles all round?
Yes, that would be my guess. I've experienced that with some ISP's that still cache at their gateway, AOL was the worst offender. Session records got cached, despite the page headers saying please don't cache.
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
So it may affect some users but perhaps not all, depending on the ISP.
<snip>
"So either not a cache problem, or Marks & Sparks were very naughty and weren't encrypting the pages."
I heard that they were having cache <sic> flow problems but this one seems to be worse than my wildest fears.
I once asked a Scottish systems administrator how big her cache was on a support call. She heard "how big is your gash?" and I got an embarrassed reply of "no bigger than any other girl of my age". Even now I cringe at the thought.
Cache control directives in HTTP responses and HTML content are the wrong answer, and not reliable.
All web pages with any sensitive content, including any personal and financial details, must only ever be over HTTPS, for security, including preventing caching; it is fracking negligent not to do this!
I'd suggest that all session derived content should go over HTTPS anyway to block caching and traffic spying.
But isn't that the very definition of 'news'? This is a news site, technically everything that has ever or will ever happen is 'news' so a decision has to be made about what is relevant and currently people are interested in this sort of story as, as you correctly point out, it has recently impacted many people in the UK.
My Dad says he saw another customer's bank account details as well as his own when he logged in last week. He called LLoyds, and they told him not to worry and just to clear his browser cache, and not use old location bar URL history to navigate to the login page any more.
Absolutely nothing to worry about there!
This post has been deleted by its author
There is nothing in that quote to make any assumption on what the technical team thought. The fact that they took down their website suggests that someone with a lot of authority was
a) Worried about it.
b) listening to the technical department telling them that we need to take the we site off line
c) prepared to write of the thousands of pounds per minute that not having the web site available would cost the company.
This post has been deleted by its author
Chrome doesn't really like their site anyway:
Your connection to www.marksandspencer.com is encrypted using an obsolete cipher suite. Further, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page.
The connection uses TLS 1.2.
The connection is encrypted using AES_128_CBC, with HMAC-SHA1 for message authentication and RSA as the key exchange mechanism.
I have also lost the 577,000 sparks points I had yesterday before the shutdown. In fact i've lost my sparks card all together as it's now linked to somebody else's account!
We experienced this. My wife logged on to register her new Sparks card and the order history on her account showed random items, in random order, going back several years, none of which she'd bought. At first she thought her account had been hacked - she apparently had a £1,500 sideboard out for delivery - and only realised it was a wider problem when she got through to them on the phone (after about 20 minutes).