On January 17, 2017, the Sydney Morning Herald reported that online fashion retailer, Showpo, was suing a former staff member for allegedly stealing their entire customer database and handing it to a competitor.

It is alleged that the former Showpo graphic designer accessed the contact information of 306 000 Showpo customers, exporting the list and providing it to her new employer and online fashion competitor, Black Swallow.

Update: Black Swallow will pay Showpo $60,000 in damages.

Online email marketing platform, MailChimp, has provided activity history that claims to show the designer accessed the customer database at 9:33pm and exported the client contact list to her home IP address.

The breach exposes a number of flaws in Showpo’s information security policies - flaws that are widespread among small-to-medium Australian businesses.

In an age where data is currency, it is surprising that an online powerhouse like Showpo allowed a graphic designer to effectively hand their customer information over to a competitor. It reveals the growing need for businesses to act in compliance with internationally recognised standards like ISO 27001, the standard for information security management systems.

If Showpo had been acting in accordance with the information security management requirements outlined in ISO 27001, it’s unlikely a breach like this would have been able to occur. Some of the information security controls outlined in ISO 27001 include:

• Only allowing staff to access the information that is needed for their role.  It’s unlikely that a graphic designer should need access to the entire customer database, let alone have the authority to export the list.
• Establishing whitelisted IP addresses to improve network security. Showpo could have avoided the breach by establishing approved IP addresses which may access customer information. Approved IP addresses could be restricted to the office or other approved locations, but not the home addresses of employees.
• Regular review of systems logs. Regular review of systems logs is a requirement of the ISO 27001 standard to identify irregularities in how the system has been used. Showpo claimed it learned of the data breach when their customers reported receiving unsolicited promotional emails from Black Swallow. If Showpo had engaged in regular review of systems logs, they could have been proactive in identifying an irregularity like an exported list to unfamiliar IP address.
• Using dummy email addresses to quickly identify when a data breach has occurred. From a reactive point of view, Showpo could have placed dummy email addresses in their database, which only exist to receive emails from that specific list. In the case of an alleged breach like this, this would prove that the list was indeed stolen.

Unfortunately, data breaches like the recent Showpo case are becoming increasingly common across all industries. In October, 2016, the Red Cross Blood Service revealed that the personal information of 1.28 million blood donors was exposed online. The information ranged from name, gender, home and email addresses, phone numbers, dates of birth, blood types and sensitive medical information.

The leak was attributed to human error, and given the massive financial and reputational damage of information security lapses like these, it’s a grave error.

To learn more about why information security management standards like ISO 27001 are critical for your business, get in touch with us today.