M&S plays down security exposure

Marks & Sparks says security accident couldn't have caused a broader breach
Written by Will Knight, Contributor

UK retail giant Marks & Spencers confirmed Friday that its Web site experienced a malfunction that left customer information and system passwords exposed.

An online customer stumbled across the information after clicking a broken link at the Web site www.marksandspencers.com at the weekend. Marks and Spencers today issued a statement to reassure customers that this was an isolated incident and that the vulnerability was swiftly plugged.

According to a spokesman, the information exposed concerned users browsing habits, such as their IP address, and the pages they had visited as well as some passwords to the SQL database running the site.

Marks & Spencers says it is highly unlikely that the information exposed could have been used to gain access to other sensitive data because of other security measures in place.

"This error was swiftly identified and within hours all steps necessary were taken to ensure that a repetition of this event is not possible," says the company's statement. "We remain convinced that shopping online with Marks & Spencers is as safe as shopping in high street stores."

Some security experts, however, disagree with the company's claim that the incident could not lead to a broader security breach.

Neil Barrett, technical director of computer security firm IRM, was shown the message by online news service Silicon.com and says that the file contained encrypted passwords for the SQL platform as well as plain text passwords for accessing SQL services. This could potentially give an unauthorised user access to a system where personal information might be stored, says Barrett. "I'm 90 percent sure that I'd be able to get access to personal data," he says.

Barrett says that patterns used to generate the passwords in the dump file would also give a hacker a good chance of guessing other system passwords, which he says is a common trick.

To have your say online click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read what others have said.

Editorial standards