back to article Shut the front door: Jewson 'fesses up to data breach

Builders merchant Jewson has confirmed in writing to customers that their privates could have been exposed in a cyber break-in that occurred late this summer. In a letter sent to customers – seen by The Reg – Jewson stated: "As a Jewson Direct customers, we regrettably are writing to inform you that our website (www. …

  1. John H Woods Silver badge

    Obligatory

    "They've hacked the Jewson lot"

    1. Korev Silver badge
      Coat

      Re: Obligatory

      I guess their customers are screwed...

    2. JimboSmith Silver badge
      FAIL

      Re: Obligatory

      Had a builder who wore Jewson T-shirts religiously when working. I asked if he had some sort of sponsorship deal with them given the daily use. He said no just a shed load of the T-shirts they'd given him free. Given his lack of interest in IT I doubt he will have been affected by this breach. Going off to Jewson to get something that he was lacking could take a while. Certainly wouldn't have been keen on ordering online and having things delivered.

  2. frank ly

    Card Payments

    "We follow the Payment Card Industry Data Security Standard (PCI DSS)."

    I thought that card payments on a website are dealt with by links to a third party 'approved' payments operator. Have I misunderstood this?

    1. tiggity Silver badge

      Re: Card Payments

      Some of those can be vulnerable.

      Everyone should really be moving to TLS 1.2 by next year at the latest to mitigate against some nasty weaknesses

      https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls

      Most of the payment companies told people about this a while ago.

      Even using third parties, there are issues, e.g. if using an API where Jewson have some form of token for a card, if tokens can be grabbed, & credentials to communicate with 3rd party, then can get card details using token in API calls. Details would vary depending what was originally stored, number will be available.

      1. Anonymous Coward
        Anonymous Coward

        Re: Card Payments

        "Even using third parties, there are issues, e.g. if using an API where Jewson have some form of token for a card, if tokens can be grabbed, & credentials to communicate with 3rd party, then can get card details using token in API calls. Details would vary depending what was originally stored, number will be available."

        It was mentioned that CVV values were among the leaked data. Since these are not supposed to be stored by anyone, I would expect that something was sniffing the traffic to capture the information leaked.

        1. handleoclast

          Re: Even using third parties, there are issues

          Oh yeah. Big time.

          Somewhere on Jewson's site is a link to the payment handler. Doesn't matter if it takes you to the payment handler's page decked out in Jewson finery, if it's an iFrame or some Web 2.0 thingummyjig. Somewhere there's a link. So if you hack into the Jewson site you can change that link and mount a MITM attack.

          Which means you can't offload your security problems onto the third-party payment handler. You must ensure that your own site is secure. And periodically monitor that the link hasn't been tampered with (details left as an exercise for the reader, because a clever attacker will take steps to fool such monitoring, like detecting the IP address requests come from).

  3. Tigra 07

    Is it normal to report the hack to the ICO a week after, rather than, say, a day or two after realising?

  4. adam payne

    'As a Jewson Direct customers, we regrettably are writing to inform you that our website (www.jewsondirect.co.uk) has suffered a security breach and, as a result, your personal data including your credit/ debit card details may have been compromised.'

    Plain text?

    'No card data is stored by Jewson, however, until the investigation has been completed, customers have been informed of a potential breach of card data as an advisory measure.'

    This additional statement makes it look like you don't know what information your systems store. Unless of course you suspect the code that was inserted was possibly stealing card data as it was entered.

  5. Death_Ninja

    Card details ripped by the ripper

    Cryptic message left behind in the logs

    "The Juweson are the men that will not be blamed for nothing."

  6. Korev Silver badge
    Coffee/keyboard

    Experian

    To help you monitor your personal information for certain signs of potential theft, we are offering you a complimentary 12 month memberships to Experian ProtectMyID

    My reaction -->

    Does this mean that your data can be lost by two different organisations instead of one?

  7. NellyD

    WannaCry

    I was in my local Jewsons on the day WannaCry was kicking off. Curiously, all their computer systems were powered down and it was a case of pens & paper at the ready. I'm sure there was no link between the two and it was purely coincidental. 1% sure.

    1. Anonymous Coward
      Anonymous Coward

      Re: WannaCry

      WannaCry had no impact on Jewsons or the other business groups, i believe the reason for the power off was to prevent any chance of it infecting end users untill such time that counter measures where in place.

  8. AlCro

    Was the breach earlier thasn August?

    In late June, we were having a new shower fitted in our bathroom. Our plumber referred us to the Graham's Plumber Merchants web site (Also part of the same group as Jewson - owned by the French company Saint Gobain) . Unfortunately, the website was unavailble (as were many of the St Gobain group including that of Jewson, Graham's and British Gypsum) and our plumber later said that the Graham's web site was undergoing a cyber attack and even he could not access his online account.

    With all these web sites suffering outages at the same time, it makes you wonder what caused this, and whether it is related to this more recent admission of a breach and possible loss of customer's data?

    1. Anonymous Coward
      Anonymous Coward

      Re: Was the breach earlier thasn August?

      *cough* theguardian.com/world/2017/jun/27/petya-ransomware-attack-strikes-companies-across-europe

      Jewsons is part of the Saint-Gobain group, i'll leave the rest upto you to figure out.

  9. hi_robb

    Oh dear

    It looks like Jewson IT security is run by a bunch of planks.

    1. Roj Blake Silver badge

      Re: Oh dear

      What a load of tools.

    2. Anonymous Coward
      Anonymous Coward

      Re: Oh dear

      *cough* externally hosted and run site, no one from either side of IT involved with it (Jewsons doesn't have "IT" has such)

  10. a_builder

    Having ‘worked’ many years ago with Jewsons I can confirm that they are a bunch of planks that are screwed overseen by spanners. As other worth commentards have pointed out.

    The high point in our trading relationship was ordering material for a medium sized roof.

    We received:-

    Roofing felt

    Roofing batten

    Roofing nails

    Velux x 3

    Slate chippings 2 x 1000kg bags

    What’s wrong with that for doing a roof?

    Which plank keyed the order

    Who screwed up loading it

    Which spannner checked the truck before it left the depot

    What you clearly see is that nobody there cared in the slightest. And that is why I will never ever use them for anything ever again. If anyone had thought about it for more than one second they would have spotted the problem. And believe me it was often like that there.

    And the whole business is run on Keridge software - let’s not even get me started.

  11. Anonymous Coward
    Terminator

    Personal data may have been compromised

    'customers’ names, location, billing address, password, email, phone number, payments details, card expiry dates and CVV numbers “may” have fallen into the hands of an “unauthorised person”'

    In this day and age, why isn't such information store in an encrypted form on a machine accessable from the Internet. Who designed and install the system at online builders merchant Jewson. Who is responsible for maintenance and security. I guess the original hack consisted of someone opening a malicious email attachment, the solution being to:

    a. Configure your email client to only open msWord docs in the MS Word Viewer, same for Excel etc.

    b. Disable automatically opening of URL links in PDF documents.

    c. Disable auto-running flash and similar active content.

    d. Use a unique email to register with a site.

    e. Use a burner phone for two-factor authentication.

    f. Never disclose either to any third party.

    Is this the state of 'computer' security in the year 2017 AD .. I mean Current Era, wouldn't want to trigger anyone :]

    1. Anonymous Coward
      Anonymous Coward

      Re: Personal data may have been compromised

      "Microsoft has announced that Word Viewer will be retired in November 2017, the program will no longer receive security updates or be available to download."

  12. atopher

    encrypted into the website?

    What does "encrypted into the website" mean then?

  13. Anonymous Coward
    Anonymous Coward

    I wonder if it was facilitated by spearphishing?

    No SPF, No DMARC... No DKIM???

    How do they know their emails are genuine?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like