Marks & Spencer admits cybercrooks made off with customer info

Re: as a regular customer ...

From the issues they are having with stock control and distribution, I suspect M&S are still struggling to get back in to their systems and thus still don't actually know the extent to which they have been compromised...

Whilst people are focusing on the customer data, what is clear M&S are struggling with inadequate business continuity plans and a sudden discovery of just how much expertise and sector knowledge has gone. With weird non-sensical deliveries being made to stores because staff no longer have any real understanding of what stores are selling and what is a store's normal level of business and stock turnover.

Suspect the Co-op is hitting exactly the same stock delivery problems...

Re: MSM: The hackers are believed to have tricked IT helpdesk workers into resetting staff passwords

The worst thing about this.. a password/user combination alone shouldn't give you access to shit. We live in the age of FIDO, device compliance, device certificates, non-phishable MFA, so-on and so-forth.

WTF is going on when a major supermarket isn't practicing basic security principles?

Re: I wonder ...

"... which date of birth they have for me?"

Probably the correct one unless you've been lying for long enough.

I knew somebody that was a FB addict and told him that it is a giant data leak. He didn't believe me. He used a fictitious name with everybody and challenged me to find his legal name. Took me less than an hour and wasn't that hard. For giggles, I included his wife's legal name, and a bunch of other information like when and in what manner they were married. It's fine if he doesn't want everybody knowing his name, but that it is impossible to have a perfect disguise without staying off-line as much as possible and keeping documents out of view and locked up. Maybe not even then.

I don't advocate giving up and having a QR code tattooed on your forehead, but to be realistic about privacy and also be diligent.

Re: Well...

"I'm sure that got their knickers in a twist!"

Twisted knickers? Aisle 6 under the rainbow banner.

Re: This is not just a breach, it's an M&S breach...

As for Harrods, if you ask about it, you cannot afford it.

Re: Checkout As Guest Option Must Be Mandatory

Even guest checkout still needs your name, address, etc.

Re: Checkout As Guest Option Must Be Mandatory

That's quite a naïve view of how things work.

The affected data in this case was

> names, dates of birth, telephone numbers, home addresses, household information, email addresses

For a guest checkout it uses every single one of those with the exceptions of DOB and "household information". The minimum required to fulfil an order (i.e. deliver it) is the person's name and address. Then you need an email address to send updates about the delivery. There's no way that those get wiped from databases just because an order has been delivered! It's part of the audit history of a companies orders. Just because you don't have an "account" doesn't mean the details aren't saved anywhere!

As for payment card details the retailer doesn't usually store those. They store a representation (encrypted token) of the card which can then be validated with a 3rd party payment provider. That applies whether you use Guest checkout or have an account. In any event, this is really the least of anyones concerns. A card can be cancelled/replaced. Your identity...not so much.

Re: usable payment or card details

>> All the other details may be stored

PCI DSS doesn't prohibit the storing of the full PAN, but it strongly recommends against it, and does mandate that if stored, it should be encrypted, and when displayed, should be masked.

In practice, in nearly all cases only the last four digits of the PAN are stored, and that is simply to identify the card to the user for subsequent transactions.

Actual transactions use a representative token generated by the payment provider, rather than passing the actual card details.

Re: usable payment or card details

"A spokesperson said: "We don't hold full card payment details on our systems, so it's masked and not usable."""

Even a piece can be quite useful. A Big Data firm (black hat or white hat) could use the last 4 digits of a card number as a check against the full number they already have. What we buy tells a lot about us. A young person buying baby supplies (nappies, wipes, etc) on a regular basis has a new baby in the house. If they just bought a few things once, it could be gifts for a baby shower. Certain items bought near to religious holidays could narrow down somebody's religion, if they are religious. With enough data points, a lot of the puzzle gets filled in. The excuses companies hand out about there only being limited bits of information assumes that's all the information a miscreant will have access to.

Re: There are alternatives.

Why are you assuming that Amazon and eBay aren’t going to get hacked next?

Re: There are alternatives.

Sounds like TBL's weirdy "pods" concept, which I'd be mildly interested in if it went anywhere but haven't heard much about since it kicked off close to a decade ago. https://en.m.wikipedia.org/wiki/Solid_(web_decentralization_project)

Re: There are alternatives.

Oh and WRT companies having their own stores on Amazon and eBay — a lot of them already do; some see it as "multi-channel" and some even end up closing down their self-run points of sale. I worked for a bricks-and-mortar entertainment (e.g. CDs, DVDs) retailer back in the day and by the time I left the company (2004 or 2005 I think) they were making most of their money selling things on Amazon Marketplace and eBay, because the overheads were lower and they could even sell the products for a higher price as customers assumed the eBay or Amazon price "must" be the cheapest.

As a mildly amusing aside, when I interviewed for my final job in their head office I got to eavesdrop on a meeting between the Accessories buyer and a supplier that was happening in reception due to lack of meeting space, wherein I discovered that the relaunched Chewits we had inexplicably been told to display in boxes at all the tills were in fact the highest-margin item in the company. ¯⁠\⁠_⁠(⁠ツ⁠)⁠_⁠/⁠¯

My personal trouble with it is that I refuse to use Amazon to the point that I've found manufacturers who literally only sell through Amazon and abandoned any hope of obtaining their wares. It must be a good business model for some as I always get in touch with them to ask if there's any way I can buy their stuff and the answer's always no. eBay I can live with though the interface is even worse than Amazon's.

Re: Sparks, not so bright

"Do they employ people who will click on any link in an email?"

Is their system set up so some employee clicking on a phishing link creates a path into the customer database?

One day you may gain first hand experience of recovering compromised systems…

I can imagine this sort of comment from a random non-tech manager who had been included on the breach response team.

Stressed tech teams who have been working for 3 weeks straight.... Ohhhh, why didn't I think of that! Bob, oi bob, call dell, get a bunch of tin, then go spin up a colo quickly, deploy all the systems we need, ensure replicas and backups meet our RPO/RTO objectives, ensure monitoring/observability is in place, and that security controls are implemented.... And Bob, by the end of play today please. Then we can get ops people to work 80 hours a day to re-enter all this product data, all from memory.

I'm gonna assume you have never had to recover from a breach, it's stressful, tedious, emotional. Your working you ass off, but also very aware that once the dust has settled, there is going to be a load of tough meetings/reviews. You also have no idea as to the scale of the task at hand, so please do not presume to simply the situation into 2 options.

P.S. breach recovery is also fun, but I'm sick like that

> then why do I need to change my password when I next log in?

Standard boilerplate response (and yes I also have had an email)

Re: Co-Op

I went to our local Co-op earlier. Lots more stuff in now than even yesterday. But so many onions that they even had nets full of them in the (otherwise bereft) fridges. So, onion dopiaza it is then for tea.