High street retailer Office has avoided a fine from the Information Commissioner’s Office (ICO) despite a hack on the company that exposed details on over one million customers.
The breach occurred in May last year and saw personal details including addresses and passwords stolen. Office said at the time that no payment information was accessed as it was not kept in the database.
An ICO investigation found that the hack occurred because the company had failed to delete data from an old database during the migration to a newer system.
"Office has explained that removing the historic customer data from the database before migration to the new system was believed to add complexity and a material risk of data mismatches, operation downtime and customer disruption, so as to put the project at risk," the ICO said in its report.
"However, Office has since accepted that in hindsight the risks of removing these details before migration were less than originally thought.
"As such, it would appear that the retention of this historic data, some of which may now be inaccurate, was over-cautious and not strictly required."
ICO enforcement group manager Sally-Anne Poole said that the incident underlined the importance of good data management, especially if the information being retained is not required.
"All data is vulnerable even when in the process of being deleted, and Office should have had stringent measures in place regardless of the server or system used," she explained.
"The need and purpose for retaining personal data should also be assessed regularly to ensure that the information is not being kept for longer than required."
However, although it appears that no harm was done by the hackers and no financial information was at risk, Poole warned that the incident highlighted the risks of using a single password for all online sites.
"This one incident could have given the hacker access to numerous accounts that the clients held with other organisations, as passwords were included on the database in question," she said.
"It’s important to use a unique, strong password for each separate account, preferably a combination of numbers and letters - not a name or dictionary word."
iPhone 8 specs, release date, price, features, basically everything! But will it have a curved display?
But there are three times as many CDOs as there were in 2014
Companies never used to hold big launch events to announce minor upgrades, did they?
Only 35 per cent of IT decision makers regularly review their data formats