In a statement, Fast Retailing said the following information was likely to have been accessed:
- Customer name (last name and first name)
- Customer address (postal code, address, and apartment number)
- Customer phone number, mobile phone number, email address, gender, date of birth, purchase history, and clothing measurements
- Receiver name (last name and first name), address, and phone number
- Customer partial credit card information (cardholder name, expiration date, and portion of credit card number). The credit card numbers potentially accessed are hidden, other than the first four and last four digits. In addition, the CVV number (credit card security code) is not displayed or stored.
The company added: "Currently, Fast Retailing has identified the origin of the communication from which the unauthorised logins were attempted and has blocked access, and is strengthening monitoring of other access points.
"On 13 May, the company disabled the passwords for the 461,091 user IDs that had been potentially accessed, and is sending individual emails to each person affected, requesting that they reset their password."
"After nearly half a million accounts have been compromised, UNIQLO is urging users to not only reset their passwords, but to create a unique password for their accounts to reduce the chances of being hacked.
"Although that is a good immediate first step, companies can’t guarantee users will comply and they could still be at risk. Companies need to actively monitor and protect their attack surface. Cyber criminals are constantly discovering new ways to take over accounts, and companies should provide proactive and preventative defences that stop these attacks without burdening the end-user.”
Chris Kennedy, chief information and security officer and vice-president of customer success at security firm AttackIQ, said: “UNIQLO discovered the breach after customers reported strange account activity and after the company blocked the attackers from accessing the company’s computing systems.
"However, it is alarming that this malicious third party was able to obtain unauthorised access via credential stuffing and elevate its access to move laterally through the company’s network to pilfer the data of approximately 460,000 users before being discovered.
"This leaves the questions of whether UNIQLO had controls in place to prevent this data from being stolen, if the company has ever tested those controls, or if Uniqlo was exclusively relying on users with user access to not engage in malicious activity."
Kennedy said the attackers' success demonstrated that UNIQLO had weak internal monitoring and possibly poor architecture that made customer data far too easy to access.
He added that the company was likely to have had "a lack of a separation of user roles and no data loss prevention solution in place that prevented the disclosure or theft of sensitive data, and clearly no control validation program".
"The insecure software development and insufficient use of security best practices from UNIQLO has created significant shared risk for itself and its customers alike. Only through comprehensive validation of its cyber readiness can an organisation ensure that its applications and systems can withstand a cyber attack. Enterprises must be held accountable for securing its users’ data and for validating its cyber readiness before an adversary does.”