In a shocking case of a cyberattack lasting a whole of two months and more, hackers appear to have stolen personal data belonging to millions of customers of an online retail giant in the United States.
SHEIN, the affected company, has put out a statement admitting that information such as user IDs and passwords pertaining to as many as 6.5 million customers on their site might have been stolen.
But the company claims it did not capture credit details of its customers and therefore the overall damage to them could be very limited.
They have initiated the steps to help customers feel safe doing business on their site going ahead.
SHEIN Took Time to Detect the Hack but Reacted Swiftly
Tracing the complete incident at SHEIN, the reports now emerging indicate the actual hacking of their site started in the month of June this year and kept being invaded until it was detected in late-August.
In late-September, the company finally released a statement and FAQ addressing the incident.
As mentioned, in the process, the hackers had stolen data such as names, email addresses, user IDs and passwords (which were encrypted) of SHEIN’s customers.
SHEIN was quick to act as soon as it detected the security breach on its site, and reports indicate that the company’s engineers took actions to repair the breach by scanning their systems and removing the vulnerabilities.
They have also engaged the services of cybersecurity experts to conduct a thorough investigation into the hacking incident and recommend ways to shut out such weaknesses in their system.
Assuring Customers That All Is Well
After these steps to fortify its website, SHEIN addressed the incident to its customers—asking them to immediately change their passwords on the site. The email itself contained a link where the customers could click and make the changes.
The online fashion retailer assured the customers that it was safe to visit the site and make purchases, as before, and their data will remain confidential. SHEIN also made it clear that its process does not involve retaining any data relating to the credit cards of the customers.
The implied meaning is that the moment the payment dialogue is reached, the customers are taken to an independent site whether it is their bank’s or the verified platform authorized to route the payments. Thus, the credit card details are not on SHEIN’s site and there is no way such data might have been compromised during the cyberattack.
However, in its notice to the customers, the company has informed them that if any of them feel threatened that their card details might have been stolen, they are free to approach their respective banks or card-issuing companies to put in an alert for whatever it is worth.
Analysts believe that with the absence of credit card details in this attack, it may be treated as different from some of the recent cyberattacks witnessed in sites like British Airways and Ticketmaster which were attributed to a hacking group known as Magecart.
Some Lessons for Others from the SHEIN Incident?
One of the intriguing questions to arise after the incident is why the company did not notice anything amiss for almost two months. In today’s condition where data security is practically dominating the discussions and debates all over, how could a popular ecommerce firm with millions of customers visiting its site and transacting business be so negligent as to permit a hacker to make an illegal entry and stay for such a lengthy period?
It brings back the same old issues of not following certain security protocols and drills that the cybersecurity experts keep advocating day in and day out. These are very simple exercises and should be followed by every organization, big or small.
It is accepted that the best antivirus package may still be not sufficient to hold back a hacker. But periodical audits and checks to see if there have been any breaches go a long way in safeguarding data.