Lakeland hack results in breach of two encrypted databases
Kitchenware retailer confirms breach, but stops short of revealing what kind of data hackers accessed.
Kitchen cookware retailer Lakeland has fallen victim to a "sophisticated and sustained" attack by hackers, resulting in two encrypted databases being accessed.
The security breach was discovered late on Friday 19 July, the company confirmed in a statement on its website yesterday.
At the time of writing, the firm said there is no evidence to suggest the hackers stole any data.
"However, we have decided that it is safest to delete all the customer passwords used on our site and invite customers to reset their passwords," read the statement, signed by the company managing director Sam Rayner.
"Next time you log-in to your Lakeland account you will be asked to reset your password and provide a new one [but] it is not necessary to do this straight away."
The company reportedly has 64 stores across the UK, and also offers customers the option to buy its products through mail order or online shopping operations.
The hack is only thought to have affected its web-based business at this time.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
The statement then goes on to advise customers that use their Lakeland password for other online accounts to change their login credentials as soon as possible.
"We do not know for certain the hackers succeeded in stealing data, however since there is a theoretical risk and because it is our policy to be open and honest with our customers, we are being proactive in alerting you," it added.
Lakeland said the cyber attack was made possible by a recently identified flaw in the server system used to run its website, which is overseen by an unnamed third-party IT company.
"This occurred despite the best efforts of ourselves and the industry leading IT company that runs our website for us," the statement continued.
"This flaw was used to gain unauthorised access to the Lakeland web system and data...[and] hacking the Lakeland site has taken a concerted effort and considerable skill.
"We only wish those responsible used their talent for good rather than criminal ends," it concluded.
Dodi Glenn, director of security content management at infosecurity firm ThreatTrack Security, said Lakeland customers have a right to know exactly what data has been compromised.
"Lakeland should work with the authorities to identify what information was leaked. Customers should have the right to know if their credit card numbers were stolen," said Glenn.
"Lakeland and others should take note that being proactive instead of reactive is the best approach, because brand reputation is priceless."