Tuesday, 28 May 2019

UK Pub Chain 'Greene King' Gift Card Website Hacked

Major UK pub chain, Greene King (Bury St. Edmunds), had its gift card website (https://www.gkgiftcards.co.uk) compromised by hackers. The personal data breach was discovered on 14th May 2019 and confirmed a day later. The pub, restaurant and hotel chain informed their impacted customers by email today (28th May 2019).


Greene King said the hackers were able to access:
  • name
  • email address
  • user ID
  • encrypted password
  • address
  • post code
The pub chain did not disclose any further details on how passwords were "encrypted", only to say within their customer disclosure email "
Whilst your password was encrypted, it may still be compromised". It is a long established good industry coding practice for a website application's password storage to use a one-way 'salted' hash function, as opposed to storing customer plaintext passwords in an encrypted form.

No details were provided on how the hackers were able to compromise the gift card website, but there is a clue within Greene King's email statement, which suggests their website had security vulnerabilities which were fixable, "
we have taken action to prevent any further loss of personal information"

The number of customer records impacted by this data breach has also not disclosed. However, as this was a breach of personal information, Greene King was obligated under the DPA\GDPR to report the breach to the Information Commissioner's Office (ICO) as well as its impacted customers. Both Greene King and ICO are yet to release a press statement about this data breach.

This is not the first data breach reported by Greene King in recent times, in November 2016 2,000 staff bank details were accidentally leaked.

Greene King Personal Data Compromise Email to Customers
Dear Customer,
I am writing to inform you about a cyber-security breach affecting our website gkgiftcards.co.uk.

Suspicious activity was discovered on 14th May and a security breach was confirmed on 15th May. No bank details or payment information were accessed. However, the information you provided to us as part of your gift card registration was accessed. Specifically, the hackers were able to access your name, email address, user ID, encrypted password, address, post code and gift card order number. Whilst your password was encrypted, it may still be compromised. It is very important that you change your password on our website, and also any other websites where this password has been used.

When you next visit our website, using the following link (https://www.gkgiftcards.co.uk/user) you will be prompted to change your password. As a consequence of this incident, you may receive emails or telephone calls from people who have obtained your personal information illegally and who are attempting to obtain more personal information from you, especially financial information.

This type of fraud is known as 'phishing'. If you receive any suspicious emails, don't reply. Get in touch with the organisation claiming to have contacted you immediately, to check this claim. Do not reply to or click any links within a suspicious email and do not dial a suspicious telephone number given to you by someone who called you. Only use publicly listed contact details, such as those published on an organisation's website or in a public telephone directory, to contact the organisation to check this claim. At this stage of our investigation, we have no evidence to suggest anyone affected by this incident has been a victim of fraud but we are continuing to monitor the situation. We have reported the matter to the Information Commissioner's Office (ICO).

As soon as we were made aware of the incident, our immediate priority was to close down any exposure, which has been done, and then confirm which customer accounts have been affected. I recognise that this is not the sort of message you want to receive from an organisation which you have provided your personal information to. I want to apologise for what has happened, and reassure you that we have taken action to prevent any further loss of personal information, and to limit any harm which might otherwise occur as a result of this incident.

Phil Thomas
Chief Commercial Officer of Greene King Plc.

Advice
  • Change your Greene King account password immediately, use a unique and strong password.
  • Ensure you have not used the same Greene King credentials (i.e. your email address with the same password) on any other website or app, especially with your email account, and with banking websites and apps. Consider using a password manager to assist you in creating and using unique strong passwords with every website and application you use.
  • Always use Multi-factor Authentication (MFA) when offered. MFA provides an additional level of account protection, which protects your account from unauthorised access should your password become compromised.
  • Check https://haveibeenpwned.com/ to see if your email and password combination is known to have been compromised in a past data breach.
  • Stay alert for customised messages from scammers, who may use your stolen personal information to attempt to con you, by email (phishing), letter and phone (voice & text). Sometimes criminals will pretend to represent the company breached, or another reputable organisation, using your stolen personal account information to convince you they are legit.
  • Never click on links, open attachments or reply to any suspicious emails.  Remember criminals can fake (spoof) their 'sender' email address and email content to replicate a ligament email.

No comments: