There are many interesting lessons to learn in the unfolding saga at on-line sports retailer Wiggle…
Customers first started raising concerns over two weeks ago about orders being placed on their Wiggle accounts (and payments taken) without their knowledge. Some people also reported that they had been locked out of their accounts. The company’s initial response was characterised by a complete failure to engage with customers’ concerns. As of Monday they have publicly acknowledged that there is a problem, but the tone of their communications is still defensive, focusing on the fact that “Our systems remain secure” and “customers’ login details have been acquired outside of Wiggle’s systems.”
The most likely scenario seems to be that, using personal details stolen elsewhere, fraudsters were able to log in to people’s Wiggle accounts where individuals had re-used login details and passwords from other services. The fraudsters were then able to place orders and change account details (including login details) on these accounts. Whilst Wiggle seem to be placing great significance on the fact that the data was not stolen from them, and that there was therefore no data breach, that is of little interest or comfort to affected customers. Moreover, “credential stuffing attacks” such as these are a notifiable data protection incident in their own right (Wiggle has confirmed that it has reported the incident to the ICO).
Clearly there are important lessons here for all of us as consumers, principally about not re-using login details for multiple sites. The incident also highlights the challenge for on-line retailers in striking the correct balance between security and convenience: it has surprised many people that the fraudsters were able to order goods to be sent to a new address without having to re-enter any card details. But the primary lesson for all organisations is that information security incidents will continue to occur and that you need to be ready to respond quickly when they do. Critically, that involves having processes in place for investigating reports of suspicious activity in a timely fashion and for communicating effectively with customers.