back to article Shut the front door: Jewson 'fesses up to data breach

Builders merchant Jewson has confirmed in writing to customers that their privates could have been exposed in a cyber break-in that occurred late this summer. In a letter sent to customers – seen by The Reg – Jewson stated: "As a Jewson Direct customers, we regrettably are writing to inform you that our website (www. …

Silver badge

Obligatory

"They've hacked the Jewson lot"

15
0
Silver badge
Coat

Re: Obligatory

I guess their customers are screwed...

6
0
Bronze badge
FAIL

Re: Obligatory

Had a builder who wore Jewson T-shirts religiously when working. I asked if he had some sort of sponsorship deal with them given the daily use. He said no just a shed load of the T-shirts they'd given him free. Given his lack of interest in IT I doubt he will have been affected by this breach. Going off to Jewson to get something that he was lacking could take a while. Certainly wouldn't have been keen on ordering online and having things delivered.

3
0
Silver badge

Card Payments

"We follow the Payment Card Industry Data Security Standard (PCI DSS)."

I thought that card payments on a website are dealt with by links to a third party 'approved' payments operator. Have I misunderstood this?

3
0
Silver badge

Re: Card Payments

Some of those can be vulnerable.

Everyone should really be moving to TLS 1.2 by next year at the latest to mitigate against some nasty weaknesses

https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls

Most of the payment companies told people about this a while ago.

Even using third parties, there are issues, e.g. if using an API where Jewson have some form of token for a card, if tokens can be grabbed, & credentials to communicate with 3rd party, then can get card details using token in API calls. Details would vary depending what was originally stored, number will be available.

3
0
Anonymous Coward

Re: Card Payments

"Even using third parties, there are issues, e.g. if using an API where Jewson have some form of token for a card, if tokens can be grabbed, & credentials to communicate with 3rd party, then can get card details using token in API calls. Details would vary depending what was originally stored, number will be available."

It was mentioned that CVV values were among the leaked data. Since these are not supposed to be stored by anyone, I would expect that something was sniffing the traffic to capture the information leaked.

2
0
Silver badge

Re: Even using third parties, there are issues

Oh yeah. Big time.

Somewhere on Jewson's site is a link to the payment handler. Doesn't matter if it takes you to the payment handler's page decked out in Jewson finery, if it's an iFrame or some Web 2.0 thingummyjig. Somewhere there's a link. So if you hack into the Jewson site you can change that link and mount a MITM attack.

Which means you can't offload your security problems onto the third-party payment handler. You must ensure that your own site is secure. And periodically monitor that the link hasn't been tampered with (details left as an exercise for the reader, because a clever attacker will take steps to fool such monitoring, like detecting the IP address requests come from).

0
0
Silver badge

Is it normal to report the hack to the ICO a week after, rather than, say, a day or two after realising?

3
0
Silver badge

'As a Jewson Direct customers, we regrettably are writing to inform you that our website (www.jewsondirect.co.uk) has suffered a security breach and, as a result, your personal data including your credit/ debit card details may have been compromised.'

Plain text?

'No card data is stored by Jewson, however, until the investigation has been completed, customers have been informed of a potential breach of card data as an advisory measure.'

This additional statement makes it look like you don't know what information your systems store. Unless of course you suspect the code that was inserted was possibly stealing card data as it was entered.

5
0

Card details ripped by the ripper

Cryptic message left behind in the logs

"The Juweson are the men that will not be blamed for nothing."

3
0
Silver badge
Coffee/keyboard

Experian

To help you monitor your personal information for certain signs of potential theft, we are offering you a complimentary 12 month memberships to Experian ProtectMyID

My reaction -->

Does this mean that your data can be lost by two different organisations instead of one?

9
0

WannaCry

I was in my local Jewsons on the day WannaCry was kicking off. Curiously, all their computer systems were powered down and it was a case of pens & paper at the ready. I'm sure there was no link between the two and it was purely coincidental. 1% sure.

6
0
Anonymous Coward

Re: WannaCry

WannaCry had no impact on Jewsons or the other business groups, i believe the reason for the power off was to prevent any chance of it infecting end users untill such time that counter measures where in place.

0
0

Was the breach earlier thasn August?

In late June, we were having a new shower fitted in our bathroom. Our plumber referred us to the Graham's Plumber Merchants web site (Also part of the same group as Jewson - owned by the French company Saint Gobain) . Unfortunately, the website was unavailble (as were many of the St Gobain group including that of Jewson, Graham's and British Gypsum) and our plumber later said that the Graham's web site was undergoing a cyber attack and even he could not access his online account.

With all these web sites suffering outages at the same time, it makes you wonder what caused this, and whether it is related to this more recent admission of a breach and possible loss of customer's data?

4
0
Anonymous Coward

Re: Was the breach earlier thasn August?

*cough* theguardian.com/world/2017/jun/27/petya-ransomware-attack-strikes-companies-across-europe

Jewsons is part of the Saint-Gobain group, i'll leave the rest upto you to figure out.

0
0

Oh dear

It looks like Jewson IT security is run by a bunch of planks.

5
0
Silver badge

Re: Oh dear

What a load of tools.

3
0
Anonymous Coward

Re: Oh dear

*cough* externally hosted and run site, no one from either side of IT involved with it (Jewsons doesn't have "IT" has such)

0
0

Having ‘worked’ many years ago with Jewsons I can confirm that they are a bunch of planks that are screwed overseen by spanners. As other worth commentards have pointed out.

The high point in our trading relationship was ordering material for a medium sized roof.

We received:-

Roofing felt

Roofing batten

Roofing nails

Velux x 3

Slate chippings 2 x 1000kg bags

What’s wrong with that for doing a roof?

Which plank keyed the order

Who screwed up loading it

Which spannner checked the truck before it left the depot

What you clearly see is that nobody there cared in the slightest. And that is why I will never ever use them for anything ever again. If anyone had thought about it for more than one second they would have spotted the problem. And believe me it was often like that there.

And the whole business is run on Keridge software - let’s not even get me started.

0
0
Silver badge
Terminator

Personal data may have been compromised

'customers’ names, location, billing address, password, email, phone number, payments details, card expiry dates and CVV numbers “may” have fallen into the hands of an “unauthorised person”'

In this day and age, why isn't such information store in an encrypted form on a machine accessable from the Internet. Who designed and install the system at online builders merchant Jewson. Who is responsible for maintenance and security. I guess the original hack consisted of someone opening a malicious email attachment, the solution being to:

a. Configure your email client to only open msWord docs in the MS Word Viewer, same for Excel etc.

b. Disable automatically opening of URL links in PDF documents.

c. Disable auto-running flash and similar active content.

d. Use a unique email to register with a site.

e. Use a burner phone for two-factor authentication.

f. Never disclose either to any third party.

Is this the state of 'computer' security in the year 2017 AD .. I mean Current Era, wouldn't want to trigger anyone :]

0
0
Anonymous Coward

Re: Personal data may have been compromised

"Microsoft has announced that Word Viewer will be retired in November 2017, the program will no longer receive security updates or be available to download."

0
0

encrypted into the website?

What does "encrypted into the website" mean then?

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017