"They've hacked the Jewson lot"
Builders merchant Jewson has confirmed in writing to customers that their privates could have been exposed in a cyber break-in that occurred late this summer. In a letter sent to customers – seen by The Reg – Jewson stated: "As a Jewson Direct customers, we regrettably are writing to inform you that our website (www. …
"They've hacked the Jewson lot"
I guess their customers are screwed...
Had a builder who wore Jewson T-shirts religiously when working. I asked if he had some sort of sponsorship deal with them given the daily use. He said no just a shed load of the T-shirts they'd given him free. Given his lack of interest in IT I doubt he will have been affected by this breach. Going off to Jewson to get something that he was lacking could take a while. Certainly wouldn't have been keen on ordering online and having things delivered.
"We follow the Payment Card Industry Data Security Standard (PCI DSS)."
I thought that card payments on a website are dealt with by links to a third party 'approved' payments operator. Have I misunderstood this?
Some of those can be vulnerable.
Everyone should really be moving to TLS 1.2 by next year at the latest to mitigate against some nasty weaknesses
Most of the payment companies told people about this a while ago.
Even using third parties, there are issues, e.g. if using an API where Jewson have some form of token for a card, if tokens can be grabbed, & credentials to communicate with 3rd party, then can get card details using token in API calls. Details would vary depending what was originally stored, number will be available.
"Even using third parties, there are issues, e.g. if using an API where Jewson have some form of token for a card, if tokens can be grabbed, & credentials to communicate with 3rd party, then can get card details using token in API calls. Details would vary depending what was originally stored, number will be available."
It was mentioned that CVV values were among the leaked data. Since these are not supposed to be stored by anyone, I would expect that something was sniffing the traffic to capture the information leaked.
Oh yeah. Big time.
Somewhere on Jewson's site is a link to the payment handler. Doesn't matter if it takes you to the payment handler's page decked out in Jewson finery, if it's an iFrame or some Web 2.0 thingummyjig. Somewhere there's a link. So if you hack into the Jewson site you can change that link and mount a MITM attack.
Which means you can't offload your security problems onto the third-party payment handler. You must ensure that your own site is secure. And periodically monitor that the link hasn't been tampered with (details left as an exercise for the reader, because a clever attacker will take steps to fool such monitoring, like detecting the IP address requests come from).
Is it normal to report the hack to the ICO a week after, rather than, say, a day or two after realising?
'As a Jewson Direct customers, we regrettably are writing to inform you that our website (www.jewsondirect.co.uk) has suffered a security breach and, as a result, your personal data including your credit/ debit card details may have been compromised.'
'No card data is stored by Jewson, however, until the investigation has been completed, customers have been informed of a potential breach of card data as an advisory measure.'
This additional statement makes it look like you don't know what information your systems store. Unless of course you suspect the code that was inserted was possibly stealing card data as it was entered.
Cryptic message left behind in the logs
"The Juweson are the men that will not be blamed for nothing."
To help you monitor your personal information for certain signs of potential theft, we are offering you a complimentary 12 month memberships to Experian ProtectMyID
My reaction -->
Does this mean that your data can be lost by two different organisations instead of one?
I was in my local Jewsons on the day WannaCry was kicking off. Curiously, all their computer systems were powered down and it was a case of pens & paper at the ready. I'm sure there was no link between the two and it was purely coincidental. 1% sure.
WannaCry had no impact on Jewsons or the other business groups, i believe the reason for the power off was to prevent any chance of it infecting end users untill such time that counter measures where in place.
In late June, we were having a new shower fitted in our bathroom. Our plumber referred us to the Graham's Plumber Merchants web site (Also part of the same group as Jewson - owned by the French company Saint Gobain) . Unfortunately, the website was unavailble (as were many of the St Gobain group including that of Jewson, Graham's and British Gypsum) and our plumber later said that the Graham's web site was undergoing a cyber attack and even he could not access his online account.
With all these web sites suffering outages at the same time, it makes you wonder what caused this, and whether it is related to this more recent admission of a breach and possible loss of customer's data?
Jewsons is part of the Saint-Gobain group, i'll leave the rest upto you to figure out.
It looks like Jewson IT security is run by a bunch of planks.
What a load of tools.
*cough* externally hosted and run site, no one from either side of IT involved with it (Jewsons doesn't have "IT" has such)
Having ‘worked’ many years ago with Jewsons I can confirm that they are a bunch of planks that are screwed overseen by spanners. As other worth commentards have pointed out.
The high point in our trading relationship was ordering material for a medium sized roof.
Velux x 3
Slate chippings 2 x 1000kg bags
What’s wrong with that for doing a roof?
Which plank keyed the order
Who screwed up loading it
Which spannner checked the truck before it left the depot
What you clearly see is that nobody there cared in the slightest. And that is why I will never ever use them for anything ever again. If anyone had thought about it for more than one second they would have spotted the problem. And believe me it was often like that there.
And the whole business is run on Keridge software - let’s not even get me started.
'customers’ names, location, billing address, password, email, phone number, payments details, card expiry dates and CVV numbers “may” have fallen into the hands of an “unauthorised person”'
In this day and age, why isn't such information store in an encrypted form on a machine accessable from the Internet. Who designed and install the system at online builders merchant Jewson. Who is responsible for maintenance and security. I guess the original hack consisted of someone opening a malicious email attachment, the solution being to:
a. Configure your email client to only open msWord docs in the MS Word Viewer, same for Excel etc.
b. Disable automatically opening of URL links in PDF documents.
c. Disable auto-running flash and similar active content.
d. Use a unique email to register with a site.
e. Use a burner phone for two-factor authentication.
f. Never disclose either to any third party.
Is this the state of 'computer' security in the year 2017 AD .. I mean Current Era, wouldn't want to trigger anyone :]
"Microsoft has announced that Word Viewer will be retired in November 2017, the program will no longer receive security updates or be available to download."
What does "encrypted into the website" mean then?
No SPF, No DMARC... No DKIM???
How do they know their emails are genuine?
Biting the hand that feeds IT © 1998–2018