At least 700,000 users of online fashion websites including Elle Belle Attire, AX Paris and Traffic People have had their personal details exposed following a security breach suffered by their site provider Fashion Nexus.
The Fashion Nexus data breach allegedly exposed personal information that includes names, email addresses, phone numbers and passwords.
There is no indication that card payment details were at risk.
The breach was first flagged by computer security analyst Graham Cluley, who put the number of affected users as high as 1.4 million.
In a blog post, Cluley said that a white hat hacker – an expert who finds security flaws – named Taylor Ralston was able to access a database containing personal details of the online stores’ customers.
In addition to Elle Belle Attire, AX Paris and Traffic People, online fashion retailers Perfect Handbags and DLSB were reportedly affected.
Verdict contacted the affected retailers but received no reply at the time of writing.
“Question marks over the numbers”
Rob Sherwood, director of Fashion Nexus, told Verdict that the breach has been reported to the affected clients and to the Information Commissioner’s Office (ICO).
Having been sent a restored copy of the data dump by Cluley’s researcher, Sherwood raised doubts about the 1.4 million figure, putting the figure at around half that number.
“There is a question mark over the number of customer records Graham is claiming in his article. It appears very inflated compared to the number of customers actually affected,” he said.
Sherwood also raised concerns that the affected clients named by Cluley contains inaccuracies.
“At least one of the clients Graham named in his article did not have their store database present in the full data dump I’ve been sent,” he said.
“This client is, quite rightfully, not happy about this.”
For confidentiality reasons, Sherwood was unable to confirm the falsely identified company.
However, it appears that the falsely identified company was, in fact, Jaded London, after Verdict reached out to the affected retailers for comment.
The swimwear company, which saw its popularity rise after the brand was associated with Love Island, was also named by Cluley.
Jaded London said that they are aware of a data breach that affected a “historic database, stored on a server run by Fashion Nexus”.
The fashion retailer told Verdict:
“Jadedldn.com is not and was not managed by Fashion Nexus at the time of the breach, and at no time was the Jadedldn.com live website compromised.
“As part of our dedication to the security of our customers and their data, we are in contact with the ICO and continue to review our security with our current developers and providers.
“We would welcome any customers who are concerned about their data to contact us directly.”
What does the Fashion Nexus data breach mean under GDPR?
Under GDPR, organisations that fail to adequately protect customers’ data can face maximum fines of 4% of global turnover or €20m – whichever is higher.
Fines are levied by the Information Commissioner Office on a sliding scale that is proportionate to the offence.
Fashion Nexus’ most recently available company accounts show that the IT service provider had a turnover of £199,967 for the financial year ending 31 May 2017.
While the security flaw was found on Fashion Nexus’ end, GDPR applies to both ‘controllers’ and ‘processors’.
A controller determines the purpose and means of processing data, in this case the online retailers.
Fashion Nexus is the data processor, which means that they are responsible for processing personal data on behalf of the controller.
According to the ICO website, the processor has legal liability if they are responsible for a breach, but controllers are also obliged to ensure that their contracts with processors comply with GDPR.
In an official statement, an ICO spokesperson said: “Organisations have a legal duty to ensure the security of any personal data they process.”
They added: “We are aware of an incident involving White Room Solutions [Fashion Nexus’ sister company] and some of its client retailers and will be making enquiries.”
Personal data could be used in identity fraud
The type of details exposed could lead to identity fraud and identity theft if they were to fall into the wrong hands, warned Ryan Wilk, vice president at Mastercard-owned NuData Security.
“With these types of fraud, personally identifiable information such as name, address, or date of birth is traded on the dark web to steal a real identity or construct an entirely new fraudulent one for theft,” he said.
He stressed the importance of retailers and other organisations using technology to protect against fake accounts created with stolen information.
“This is why retailers, e-Commerce organisations, banks, and financial institutions are layering in multi-layered security strategies using passive biometrics and behavioural analytics,” he said.