Security Market Segment LS
Thursday, 16 May 2019 10:07

UNIQLO customer data stolen through credential stuffing attack

By
UNIQLO customer data stolen through credential stuffing attack Pixabay

Japanese public retail holding firm Fast Retailing has revealed that its UNIQLO Japan and GU Japan online stores have been breached and a total of 461,091 customer accounts accessed through a credential stuffing attack between 23 April and 10 May.

In a statement, Fast Retailing said the following information was likely to have been accessed:

  • Customer name (last name and first name)
  • Customer address (postal code, address, and apartment number)
  • Customer phone number, mobile phone number, email address, gender, date of birth, purchase history, and clothing measurements
  • Receiver name (last name and first name), address, and phone number
  • Customer partial credit card information (cardholder name, expiration date, and portion of credit card number). The credit card numbers potentially accessed are hidden, other than the first four and last four digits. In addition, the CVV number (credit card security code) is not displayed or stored.

The company added: "Currently, Fast Retailing has identified the origin of the communication from which the unauthorised logins were attempted and has blocked access, and is strengthening monitoring of other access points.

"On 13 May, the company disabled the passwords for the 461,091 user IDs that had been potentially accessed, and is sending individual emails to each person affected, requesting that they reset their password."

Commenting on the breach, Kevin Gosschalk, chief executive of fraud and abuse prevention company Arkose Labs, said: the breach shone a light on the seriousness of hackers carrying out automated attacks at scale.

"After nearly half a million accounts have been compromised, UNIQLO is urging users to not only reset their passwords, but to create a unique password for their accounts to reduce the chances of being hacked.

"Although that is a good immediate first step, companies can’t guarantee users will comply and they could still be at risk. Companies need to actively monitor and protect their attack surface. Cyber criminals are constantly discovering new ways to take over accounts, and companies should provide proactive and preventative defences that stop these attacks without burdening the end-user.”

Chris Kennedy, chief information and security officer and vice-president of customer success at security firm AttackIQ, said: “UNIQLO discovered the breach after customers reported strange account activity and after the company blocked the attackers from accessing the company’s computing systems.

"However, it is alarming that this malicious third party was able to obtain unauthorised access via credential stuffing and elevate its access to move laterally through the company’s network to pilfer the data of approximately 460,000 users before being discovered.

"This leaves the questions of whether UNIQLO had controls in place to prevent this data from being stolen, if the company has ever tested those controls, or if Uniqlo was exclusively relying on users with user access to not engage in malicious activity."

Kennedy said the attackers' success demonstrated that UNIQLO had weak internal monitoring and possibly poor architecture that made customer data far too easy to access.

He added that the company was likely to have had "a lack of a separation of user roles and no data loss prevention solution in place that prevented the disclosure or theft of sensitive data, and clearly no control validation program".

"The insecure software development and insufficient use of security best practices from UNIQLO has created significant shared risk for itself and its customers alike. Only through comprehensive validation of its cyber readiness can an organisation ensure that its applications and systems can withstand a cyber attack. Enterprises must be held accountable for securing its users’ data and for validating its cyber readiness before an adversary does.”

LEARN HOW TO BE A SUCCESSFUL MVNO

Did you know: 1 in 10 mobile services in Australia use an MVNO, as more consumers are turning away from the big 3 providers?

The Australian mobile landscape is changing, and you can take advantage of it.

Any business can grow its brand (and revenue) by adding mobile services to their product range.

From telcos to supermarkets, see who’s found success and learn how they did it in the free report ‘Rise of the MVNOs’.

This free report shows you how to become a successful MVNO:

· Track recent MVNO market trends
· See who’s found success with mobile
· Find out the secret to how they did it
· Learn how to launch your own MVNO service

DOWNLOAD NOW!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments