Australian retailer David Jones has confirmed that hackers stole the customer database for its online store, making it the second attack on a website built on IBM’s e-commerce platform WebSphere.
The department store chain confirmed on Friday that hackers had exploited a vulnerability in its website and taken customer details including name, email address, order details and mailing address.
The company discovered the breach on 25 September and has notified affected customers by email.
“On 25 September 2015, David Jones learned that a third party exploited a vulnerability in our website to extract limited information about some of our customers,” the company said in an FAQ about the breach.
“No credit card information, financial information or passwords were obtained. David Jones does not store any credit card information or financial information on our website,” it added.
David Jones’ disclosure follows Wesfarmers-owned Kmart’s report of a similar breach of its online customer ordering system on Thursday.
David Jones has not revealed the exact vulnerability the hackers exploited, however a frequently used method to cause a website to leak details from a backend database is known as an SQL injection.
“When talking about vulnerabilities in a website, the term "extracted" is typically used in relation to SQL Injection exploits that are used to manipulate the queries sent to the backend database server in order to extract unauthorised information,” Ty Miller, CEO of Australian security firm Threat Intelligence told CSO Australia.
SQL Injection is a bug in the web application code written by developers, however Miller said in this case hackers are likely to have exploited an un-patched flaw in IBM’s e-commerce software WebSphere, according to Miller.
Indeed, both Kmart’s and and David Jones’ online stores are built on WebSphere.
“By simply viewing the HTML of the Kmart and David Jones websites, we can see that both websites use the IBM WebSphere Commerce platform for their stores,” Miller said.
“This is a strong indication that the two breaches were performed by the same hacking group using the same exploitation technique.”
IBM also released a security patch in the last month to address a bug that “closely resembled” the two breaches, according to Miller.
The bug, CVE-2015-4980, affects IBM WebSphere Commerce 18.104.22.168 through 22.214.171.124 and “allows remote authenticated users to obtain sensitive personal information”.
While it is possible that hackers breached the two firms’ websites using a different method, Miller warned any organisation that is using IBM WebSphere Commerce to be on high alert.
“One step to help minimise the risk of a security breach would be to ensure that the IBM WebSphere Commerce version and corresponding software versions are upgraded and have security patches applied,” said Miller.
CSO Australia has contacted David Jones for further information and will update the story if a response is received.
Kmart and David Jones have reported the breaches to the Office of the Australian Information Commissioner (OAIC) as well as the Australian Federal Police.