Security Market Segment LS
Thursday, 16 May 2019 10:07

UNIQLO customer data stolen through credential stuffing attack

UNIQLO customer data stolen through credential stuffing attack Pixabay

Japanese public retail holding firm Fast Retailing has revealed that its UNIQLO Japan and GU Japan online stores have been breached and a total of 461,091 customer accounts accessed through a credential stuffing attack between 23 April and 10 May.

In a statement, Fast Retailing said the following information was likely to have been accessed:

  • Customer name (last name and first name)
  • Customer address (postal code, address, and apartment number)
  • Customer phone number, mobile phone number, email address, gender, date of birth, purchase history, and clothing measurements
  • Receiver name (last name and first name), address, and phone number
  • Customer partial credit card information (cardholder name, expiration date, and portion of credit card number). The credit card numbers potentially accessed are hidden, other than the first four and last four digits. In addition, the CVV number (credit card security code) is not displayed or stored.

The company added: "Currently, Fast Retailing has identified the origin of the communication from which the unauthorised logins were attempted and has blocked access, and is strengthening monitoring of other access points.

"On 13 May, the company disabled the passwords for the 461,091 user IDs that had been potentially accessed, and is sending individual emails to each person affected, requesting that they reset their password."

Commenting on the breach, Kevin Gosschalk, chief executive of fraud and abuse prevention company Arkose Labs, said: the breach shone a light on the seriousness of hackers carrying out automated attacks at scale.

"After nearly half a million accounts have been compromised, UNIQLO is urging users to not only reset their passwords, but to create a unique password for their accounts to reduce the chances of being hacked.

"Although that is a good immediate first step, companies can’t guarantee users will comply and they could still be at risk. Companies need to actively monitor and protect their attack surface. Cyber criminals are constantly discovering new ways to take over accounts, and companies should provide proactive and preventative defences that stop these attacks without burdening the end-user.”

Chris Kennedy, chief information and security officer and vice-president of customer success at security firm AttackIQ, said: “UNIQLO discovered the breach after customers reported strange account activity and after the company blocked the attackers from accessing the company’s computing systems.

"However, it is alarming that this malicious third party was able to obtain unauthorised access via credential stuffing and elevate its access to move laterally through the company’s network to pilfer the data of approximately 460,000 users before being discovered.

"This leaves the questions of whether UNIQLO had controls in place to prevent this data from being stolen, if the company has ever tested those controls, or if Uniqlo was exclusively relying on users with user access to not engage in malicious activity."

Kennedy said the attackers' success demonstrated that UNIQLO had weak internal monitoring and possibly poor architecture that made customer data far too easy to access.

He added that the company was likely to have had "a lack of a separation of user roles and no data loss prevention solution in place that prevented the disclosure or theft of sensitive data, and clearly no control validation program".

"The insecure software development and insufficient use of security best practices from UNIQLO has created significant shared risk for itself and its customers alike. Only through comprehensive validation of its cyber readiness can an organisation ensure that its applications and systems can withstand a cyber attack. Enterprises must be held accountable for securing its users’ data and for validating its cyber readiness before an adversary does.”


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments