An online store developed and managed by an e-commerce firm named Fashion Nexus recently suffered an IT security breach that resulted in the exposure of personal information of approximately 1.3 million people who had purchased fashion products on the online store.
The said online store hosted by Fashion Nexus retailed products from fashion brands such as Jaded London, AX Paris, Elle Belle Attire, Perfect Handbags, DLSB (Dirty Little Style Bitch), and Traffic People.
Fashion Nexus didn't encrypt personal data
The IT security breach was discovered by Taylor Ralston, an ethical hacker who stumbled upon a server containing a shared database that contained personal records of the online fashion stores' customers. Personal information of customers exposed by the breach included names, dates of birth, email addresses, phone numbers, and MD5-hashed passwords.
Following the revelation, Fashion Nexus initially declined to comment on the exposure to Cluley but later issued the following statement on its website:
"We can confirm that, on or around the 9th July 2018, a White Hat Hacker obtained access to one of our servers leading to the breach of several thousand customer records belonging to our clients. We will present a quantitive breakdown of those records in due course. These records do not contain any sort of payment card or bank account details and there is no evidence that any fraud has resulted.
"We would suggest that people change their passwords if they've been a customer of AX Paris (axparis.com), Granted London (grantedldn.com), Jaded London (jadedldn.com), ElleBelle attire (ellebelleattire.com), or Traffic People (trafficpeople.co.uk).
"Whilst DLSB (dlsb.co.uk) is named online, customer data was not taken from our server. The breach was quickly identified and the vulnerability removed. The ICO has been informed. Fashion Nexus take our clients and their customer's data security extremely seriously and we apologise that we have come up short in this instance."
Jaded London, one of the fashion brands whose products were retailed by Fashion Nexus, also released a statement in which it said that data exposed by the e-commerce firm was "limited to data related to shipping of archived orders" and did not contain any payment information.
The firm added that at no time was the Jadedldn.com live website compromised, that it is, at present, in touch with the Information Commissioner's Office and is reviewing its security with developers and providers.
E-commerce firms need multi-layered security strategies
Commenting on the exposure of sensitive data belonging to over a million online shoppers, Ryan Wilk, vice president at NuData Security, said that although payment data was not exposed, the personally identifiable information accessed can easily fuel synthetic identity fraud and identity theft.
"With these types of fraud, personally identifiable information such as name, address, or date of birth is traded on the dark web to steal a real identity or construct an entirely new fraudulent one for theft. NuData has seen a 100% increase in purchase attempts with flagged – suspicious – credit cards, which are often used under a fake account that has been created with stolen information.
"This is why retailers, e-Commerce organisations, banks, and financial institutions are layering in multi-layered security strategies using passive biometrics and behavioural analytics. These technologies can identify and protect companies against fake accounts created with stolen information using automation," he added.