E-commerce provider Fashion Nexus exposed personal data of 1.3m online shoppers

E-commerce provider Fashion Nexus exposed personal data of 1.3m online shoppers

Fashion Nexus exposes personal data of 1.3mn online shoppers

An online store developed and managed by an e-commerce firm named Fashion Nexus recently suffered an IT security breach that resulted in the exposure of personal information of approximately 1.3 million people who had purchased fashion products on the online store.

The said online store hosted by Fashion Nexus retailed products from fashion brands such as Jaded London, AX Paris, Elle Belle Attire, Perfect Handbags, DLSB (Dirty Little Style Bitch), and Traffic People.

Fashion Nexus didn't encrypt personal data

The IT security breach was discovered by Taylor Ralston, an ethical hacker who stumbled upon a server containing a shared database that contained personal records of the online fashion stores' customers. Personal information of customers exposed by the breach included names, dates of birth, email addresses, phone numbers, and MD5-hashed passwords.

Following the revelation, Fashion Nexus initially declined to comment on the exposure to Cluley but later issued the following statement on its website:

"We can confirm that, on or around the 9th July 2018, a White Hat Hacker obtained access to one of our servers leading to the breach of several thousand customer records belonging to our clients. We will present a quantitive breakdown of those records in due course. These records do not contain any sort of payment card or bank account details and there is no evidence that any fraud has resulted.

"We would suggest that people change their passwords if they've been a customer of AX Paris (axparis.com), Granted London (grantedldn.com), Jaded London (jadedldn.com), ElleBelle attire (ellebelleattire.com), or Traffic People (trafficpeople.co.uk).

"Whilst DLSB (dlsb.co.uk) is named online, customer data was not taken from our server. The breach was quickly identified and the vulnerability removed. The ICO has been informed. Fashion Nexus take our clients and their customer's data security extremely seriously and we apologise that we have come up short in this instance."

Jaded London, one of the fashion brands whose products were retailed by Fashion Nexus, also released a statement in which it said that data exposed by the e-commerce firm was "limited to data related to shipping of archived orders" and did not contain any payment information.

The firm added that at no time was the Jadedldn.com live website compromised, that it is, at present, in touch with the Information Commissioner's Office and is reviewing its security with developers and providers.

E-commerce firms need multi-layered security strategies

Commenting on the exposure of sensitive data belonging to over a million online shoppers, Ryan Wilk, vice president at NuData Security, said that although payment data was not exposed, the personally identifiable information accessed can easily fuel synthetic identity fraud and identity theft.

"With these types of fraud, personally identifiable information such as name, address, or date of birth is traded on the dark web to steal a real identity or construct an entirely new fraudulent one for theft. NuData has seen a 100% increase in purchase attempts with flagged – suspicious – credit cards, which are often used under a fake account that has been created with stolen information.

"This is why retailers, e-Commerce organisations, banks, and financial institutions are layering in multi-layered security strategies using passive biometrics and behavioural analytics. These technologies can identify and protect companies against fake accounts created with stolen information using automation," he added.


Fashion website hacked, millions of accounts stolen

Adele ticket sale rush reveals potential security breach for Songkick

Forever 21 breach: Hackers targeted unencrypted payment card systems

Copyright Lyonsdown Limited 2021

Top Articles

It’s time to upgrade the supply chain attack rule book

How can infosec professionals critically reassess how they detect and quickly prevent inevitable supply chain attacks?

Driving eCommerce growth across Africa

Fraud prevention company Forter has partnered with payments technology provider Flutterwave to drive eCommerce growth across Africa and beyond.

Over 500,000 Huawei phones found infected with Joker malware

The Joker malware infiltrated over 500,000 Huawei phones via ten apps using which the malware communicates with a command and control server.

Related Articles