Cyber Incident Victim: Wein & Co

On or around September 1, 2023, the Austrian company WEIN & CO experienced a significant cybersecurity incident involving its online webshop. The company publicly disclosed that a hacker attack had successfully breached their systems, resulting in the theft of customer data. This breach occurred despite the company having established and continually developed security measures in place, which were also subject to external auditing. The attack specifically targeted the webshop's user accounts, meaning that only customers who had created an account on the WEIN & CO online store were impacted by this data exfiltration. Importantly, customer data associated with the company's physical loyalty cards used in their retail stores and bars was confirmed to be entirely separate from the webshop systems and was therefore not compromised in any way. The management, including Managing Director Hannes Scheufele, expressed regret over the incident, acknowledging the ever-growing threat of cyber attacks and the serious breach of customer trust that such an event represents.

The types of data accessed and stolen by the attackers were detailed in the company's communication. The compromised information included fundamental personal identification details such as salutation, title, last name, and first name as stored in the webshop account. Furthermore, address information was taken; this encompassed whichever address the customer had provided for their orders, whether it was designated as a billing address or a delivery address within the webshop system. The primary email address used for logging into the webshop account was also among the stolen data. For customers who had provided additional optional information, their birthdate and telephone number were also accessed by the hackers. The incident also involved the theft of data related to customer orders; however, the company specified that this order data did not include any information about the specific products purchased or the quantities ordered, focusing instead on transactional metadata. A critical point of reassurance from the company concerned the security of financial information. Due to the architecture of their IT infrastructure and their partnerships with payment service providers, sensitive payment data was not accessible to the attackers. The company confirmed that no credit card information, bank account details, or any other payment data was stored on their systems, as all such transactions are handled exclusively by external payment processors, thereby insulating this highly sensitive information from the breach.

The security of customer account passwords was a focal point in the incident disclosure. WEIN & CO provided specific and crucial information regarding how user passwords were stored and protected. The company stated that no plaintext passwords were stored anywhere within their systems. The passwords that were present in the affected dataset were protected using modern, industry-standard security mechanisms. Specifically, the passwords were hashed and salted, which are cryptographic techniques designed to render passwords unreadable and extremely difficult to reverse-engineer even if the underlying data is stolen. While this significantly mitigates the immediate risk of account takeover via the stolen password data, the company still proactively recommended that all users of the webshop change their login passwords as a precautionary measure during their next sign-in, providing a direct link to their website for this purpose.

Upon discovery of the breach, WEIN & CO responded swiftly by engaging a dedicated team of experts. This team took comprehensive steps to first stop the ongoing attack, effectively containing the intrusion and preventing any further data exfiltration. Following the containment, the experts worked to restore the security integrity of the compromised systems, ensuring that vulnerabilities were patched and that the webshop could be returned to a secure operational state. In adherence to legal and regulatory obligations, the company promptly filed a report with the Austrian data protection authority, notifying them of the breach of personal data as required under relevant data protection laws. Concurrently, the matter was reported to law enforcement agencies, with WEIN & CO formally filing a criminal complaint with the police to initiate an investigation into the malicious hacking activity.

The company directly communicated the potential consequences of the data breach to its affected customer base. The primary risk identified was the loss of confidentiality of the stolen personal data. The company warned that the attackers could potentially publish the data or use it for malicious purposes, making previously private customer information publicly accessible. This exposure could lead to an increase in unwanted communications directed at the affected individuals. The most likely manifestations of this, as outlined by WEIN & CO, include receiving spam emails or becoming the target of sophisticated phishing attempts. These phishing campaigns could leverage the stolen personal details, such as names and addresses, to craft more convincing and personalized fraudulent messages designed to trick recipients into divulging further sensitive information or credentials. Customers were advised to remain vigilant and to regularly monitor their email inboxes for any suspicious or unsolicited correspondence that might appear following the incident.

WEIN & CO established a dedicated channel for customer support and further inquiries related to the incident. Affected users were instructed to contact the company's data protection experts directly at a provided email address, [email protected], should they observe any unusual activity associated with their webshop account or if they had additional questions that were not addressed in the general announcement. The company's communications consistently emphasized the high importance it places on customer security and trust, acknowledging the seriousness of the event and expressing profound regret that the breach occurred. The public disclosure aimed to be transparent about the scope of the incident, the specific data involved, the immediate actions taken, and the potential risks to customers, all while providing clear guidance on the recommended steps for users to protect themselves in the wake of the attack. The incident underscores the persistent challenges that organizations face from cybercriminals, even when maintaining robust and audited security protocols.