Fast Retailing Co., Asia’s largest retailer, released a statement acknowledging that hackers likely gained access to the personal information of nearly half a million Uniqlo and GU brand e-commerce portal users.
“It was confirmed on May 10, 2019 that an unauthorized login by a third party other than the customer occurred on the online store site operated by our company. Although the number of targets and the situation may change according to the progress of the future survey, we will report the facts confirmed at present and our response,” according to a translation of the company's statement.
“This fraudulent login was performed from April 23 to May 10, 2019 by the method of 'list-type account hacking (list-type attack),' and the number of accounts logged-in illegally as of the present is 461,091. We deeply apologize to our customers and stakeholders for any inconvenience or concern. We will strive to further enhance security and ensure safety so that similar events do not occur.”
Not only are the password owners at risk, but e-commerce businesses with user login pages are also at risk of being the next company to suffer a breach, according to Rami Essaid, co-founder of Distil Networks.
“Data breaches like Uniqlo create huge spikes in bot traffic on the login screens of websites, as hackers cycle through enormous lists of stolen passwords. Password dumps create a ripple effect of organizations spending precious time and resources on damage control,” Essaid said.
First there is “the massive spike in failed logins, then the access into someone else’s account before the hacker changes the password, then the account lock-out for the real user, then the customer service calls to regain access to their account. All because a username and password was stolen from a different website," Essaid continued. "While it’s important that individual web users have strong, secure logins, the onus is on the businesses to detect and block malicious bot traffic before large-scale password hacks can occur.”
Insecure web applications continue to plague e-commerce businesses because retailers limit their application security efforts and often overlook the most obvious risks and threats, said Ilia Kolochenko, founder and CEO of ImmuniWeb. “Cyber-criminals will now increasingly target retailers from developed countries within the APAC region, as Western retailers are better protected and are also suffering from an economic slowdown.
“Application security should start with a holistic inventory and risk assessment to enable well-informed decisions. Afterwards, continuous security monitoring is vital to ensure agile development processes and timely addressing of any new security and privacy issues.”