Builders' Merchants News
Jewson is target of data security breach
Published:  15 November, 2017

Builders' merchant Jewson has taken its store offline and warned customers that its data may have been stolen by hackers.

Up to two thousand customers who used the Jewson Direct online store, (formerly the Jewson Tools website, between 23 August, 2017, and 3 November, 2017, could have been affected.

Jewson confirmed the data breach in a recent letter sent out to its customers. A spokesperson for the company, said: “We confirm that the Jewson Direct website has been the target of a security breach. We have notified 1,659 customers whose data may have been compromised, and are offering free credit monitoring to all of those affected to help detect any potential misuse of data in the future.

“Only the Jewson Direct website was affected by the security breach. Our main website, our credit account customers, and transactions across our branch network, are not affected by the security breach and are operating normally.

“We have commissioned a forensic investigation into the breach using a specialist firm and the Jewson Direct website will remain offline until the investigation is complete. We sincerely apologise for the distress and inconvenience this security breach has caused to those customers affected.”

The company warned customers that a whole range of information may have been stolen during the breach. Names, location, billing address, password, email, phone number, payment details, card expiry dates and CVV numbers "may" have fallen into the hands of an "unauthorised person", according to the letter.

"At this stage we are aware that a foreign piece of code was encrypted into the Jewson Direct website," Jewson told customers. "The code has been identified and removed, and we are investigating the breach of security and any related potential loss of information/personal data. No card data is stored by Jewson, however, until the investigation has been completed, customers have been informed of a potential breach of card data as an advisory measure."

A spokesperson for the UK's data watchdog, the ICO, said: "We are aware of an incident involving Jewson, and will be making enquiries."

Commenting about how any business can be vulnerable to cyber-attacks, Andy Barratt, UK Managing Director of Coalfire, said: “The Jewson data breach is yet another example of the broadening appetite of hackers. This latest development shows that the construction industry is just as vulnerable as the sectors more commonly associated with being targeted by cyber criminals, like financial services and online retailers.

“We will need to wait for the ICO’s enquiries to conclude before the extent of the damage caused by the hack is clear. What is certain is a that a cyber attack of this nature affects a business just as much as its customers. Website downtime and loss of control over payment processes means significant disruption that usually comes at a considerable financial cost; not to mention the reputational and regulatory considerations that accompany a high profile security breach of this nature. Depending on the motives of the criminals, there is also the risk of Jewson itself having goods stolen by the intruders who could potentially misuse customer’s online accounts to place rogue orders.”

Andy concluded: “Businesses across all sectors should see this as a warning and take an honest look at their IT infrastructure and business processes to identify where a hacker would have something to gain from infiltrating them, and take steps to close the gaps.”