This article is more than 1 year old
Loake Shoes admits: We've fallen victim to cybercrims
Hold on to your laces, email server was compromised
Miscreants, hackers – call 'em what you will – have pilfered email addresses from an unknown number of Loake Shoes customers.
In a letter sent to punters on its database – seen by The Register – the premium footwear maker said it has been "the victim of a cyber attack".
"Despite having stringent security measures in place, this has resulted in our email server being compromised," the missive stated.
This is more than a little embarrassing for a business that supplies handmade leather goods to the British royal family. Founded in 1880 by brothers Thomas, John and William Loake, the firm has since sold more than 50 million pairs of Goodyear welted shoes in more than 50 countries.
Loake said in the correspondence: "We do not store credit or debit card details on our system" but warned that customers "may receive spam or phishing emails which, at first glance, may appear to be from Loake."
A spokeswoman for Loake has not responded to questions about when the breach took place, what the precise circumstances were, how many customer emails were accessed, whether all customers had been notified or about what the firm was doing to prevent a similar breach from occurring again.
Loake strangely described described the attack as "similar in nature to that which was suffered by the NHS a few months ago" – presumably the WannaCrypt ransomware worm that held systems across the world hostage through encryption.
"We are not aware of any other breach of security and we apologise for any inconvenience caused," Loake added in its letter.
A Loake customer told us he had expected an "established brand... could be trusted with my details".
"The fact that they have likened their data breach to the recent NHS ransomware attack – two completely different events – reduces my confidence in their ability to deal with the situation and it also makes me question their reassurance that my credit card details are safe," the customer added.
Etienne Greef, managing director of integrator Secure Data, told The Register it was "unlikely" that the breach was similar to the NHS attack as WannaCry does not access email servers, but rather encrypts information.
He said drawing comparisons with the NHS attack implied that Loake was running old, vulnerable versions of an operating system.
Greef suspected it was most likely to be a case where an administrator password to an email server was compromised, letting hackers access customer email lists.
Firms should "understand what happened before communication," he added. "Confused communication does more damage than good." ®