Cyber Incident Victim: Office
Date:
May 2014
Location:
United Kingdom
Summary
A UK shoe retailer experienced a security breach compromising customer names, addresses, partial birth dates, passwords, and phone numbers for accounts created prior to August 2013, though no financial data was accessed as it was not stored. The breach was initially detected and later confirmed within a short timeframe, prompting password resets for affected users. The company communicated the incident via email but did not publicly disclose details on its website or blog, and the notification omitted any mention of cryptographic protections for stored passwords, raising concerns about potential password exposure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 29, 2014, UK shoe retailer Office notified customers via email of a security breach after detecting suspicious activity on May 22, 2014, and confirming unauthorized access by May 26, 2014. The company initiated password resets for all customer accounts following the confirmation. The breach exposed personal information of customers who created accounts before August 2013, including full names, physical addresses, phone numbers, birth dates (limited to day and month without year), and account passwords. Office explicitly stated that no financial data such as credit card details or PayPal information was compromised, as the retailer did not store such payment data. The company did not disclose whether the stolen passwords received cryptographic protection like hashing or salting prior to the breach, leaving their vulnerability to exploitation uncertain.
Office's public communication about the incident remained minimal, with no announcements on its corporate homepage or official blog at the time of disclosure. The retailer provided breach details exclusively through direct customer emails and a dedicated webpage accessible via a non-prominent link. The compromised data exposed affected customers to potential credential-stuffing attacks due to password reuse risks across other online services. No technical specifics regarding the attack vector, intruder origins, or total number of affected accounts were disclosed in the available notification. The breach timeline indicates a four-day investigation period between initial detection on May 22 and confirmation on May 26, followed by customer notifications three days later on May 29. Office did not reference any external law enforcement involvement or third-party forensic audits in its public statements.