Shopping shambles: Two major retailers hit by data breaches in a single week

2 Jul 2018

Adidas logo on front of retail store. Image: TY Lim/Shutterstock

Both Adidas and Fortnum & Mason disclosed details of major breaches within days of each other.

Gig-goers were likely concerned at the biggest security story last week, as malicious software on a third-party service used by Ticketmaster may have led to the seizure of customer data. Here’s the lowdown on the incident.

Meanwhile, Wi-Fi security got the biggest boost it has seen in more than a decade with the introduction of the WPA3 security protocol. The Wi-Fi Alliance has officially kicked off certification of products supporting the new protocol. It will hopefully now be much harder for hackers to guess your password and it should make setting up smart devices in the home a lot simpler.

In other news, GDPR is barely a month old, and now a new law passed in California will see citizens of the Golden State gaining many similar privacy rights. Although many major tech firms lobbied against its implementation, it should come into force by 2020.

Retail names hit by data breaches

Users of the US Adidas website were last week warned that their personal data may have been compromised after a suspected data breach. The company itself learned of the breach on 26 June and said that the data included contact details, usernames and encrypted passwords. Adidas said no credit card or fitness details of consumers were impacted.

Across the ocean, luxury UK food retailer Fortnum & Mason admitted that the details of approximately 23,000 competition and survey participants were compromised. A third-party company that provides survey response collection and voting preference services – Typeform – suffered the breach, which then compromised the grocery chain’s data.

CEO of CyberGRX, Fred Kneip, said: “Retail websites have become a fertile hunting ground for attackers targeting customer data. Even when organisations do everything they can to safeguard their data, attackers have gotten very good at going through third parties to find a way in.”

UK government criticised for weak biometrics strategy

The government in the UK has been promising a biometrics strategy since 2012 and it finally materialised last week to resounding criticism, according to The Register. The document runs to a mere 27 pages and only 14 of those actually detail the use of biometric data by the Home Office in everyday public services.

Paul Wiles, the UK biometrics commissioner, complained that the strategy simply outlines how biometric information is currently used, barely touching on potential future implementations of the technology. “What is actually required is a governance framework that will cover all future biometrics rather than a series of ad-hoc responses to problems as they emerge.”

Are ‘dark patterns’ in privacy options being used by tech firms to manipulate the public?

The Norwegian Consumer Council has called out firms such as Facebook and Google for how they are presenting their GDPR privacy choices to users. ‘Dark patterns’ are tricks and strategies used in apps and websites that make you buy or sign up for things you didn’t intend to.

According to the report, inappropriate default selections and aggressive language used by the companies see customers nudged towards making certain choices, leading them in a certain direction and providing access to personal data along the way.

Rights groups raise concerns over search of asylum seekers’ devices

A report from Wired is shedding light on one of the more ethically dubious side effects of global smartphone ubiquity. Across Europe, a mobile forensics industry specialising in the extraction of data such as location history and WhatsApp chat information is growing. In 2017, both Germany and Denmark expanded laws enabling immigration officials to extract information from asylum seekers’ devices.

The UK and Norway have been searching phones for a number of years. German officials are using a program called Atos, which allows them to download device metadata. In Denmark, migrants are being asked for their Facebook logins.

This can be problematic, explained Christopher Weatherhead, technologist at Privacy International. “Because there is so much data on a person’s phone, you can make quite sweeping judgements that might not necessarily be true.”

Adidas logo on front of retail store. Image: TY Lim/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com