Fast Retailing, the company behind multiple Japanese retail brands, announced that the UNIQLO Japan and GU Japan online stores have been hacked and third parties accessed 461,091 customer accounts following a credential stuffing attack.
As detailed in the official statement issued Fast Retailing following the security breach, the credential stuffing attack which led to the data breach took place between April 23 and May 10, 2019, with the number of compromised accounts possibly being higher seeing that the investigation has not yet concluded.
“While the number of incidents and circumstances may change during the course of the investigation, Fast Retailing is today providing notice of the facts as determined at the present time, and the company’s response,” says Fast Retailing.
The company also listed the customer information which got accessed during the attack:
• Customer name (last name and first name)
• Customer address (postal code, address, and apartment number)
• Customer phone number, mobile phone number, email address, gender, date of birth, purchase history, and clothing measurements
• Receiver name (last name and first name), address, and phone number
• Customer partial credit card information (cardholder name, expiration date, and portion of credit card number). The credit card numbers potentially accessed are hidden, other than the first four and last four digits. In addition, the CVV number (credit card security code) is not displayed or stored.
On May 13, Fast Retailing disabled the account passwords of 461,091 UNIQLO Japan and GU Japan online shop customers and started sending emails to all affected individuals to reset their passwords.
Fast Retailing discovered the breach after multiple customers reports of weird account activity and blocked the attackers from accessing the company’s computing systems, while also “strengthening monitoring of other access points.”
“Fast Retailing has also filed a report of damages regarding the unauthorized logins with the Tokyo Metropolitan Police,” states the data breach notification.
The company concludes the data breach notification [EN, JP] by asking all its customers to change their passwords especially if they’re also using them on other online platforms:
Fast Retailing is therefore requesting everyone who uses the same user ID or password with other services, not just the customers who have been contacted individually, to change their passwords immediately. The company recognizes that protecting customer information is a matter of the highest priority, considering this incident extremely serious, and is strengthening monitoring of unauthorized access, as well as taking other steps to further ensure that customers are able to shop with safety.
Customers who want more details regarding the data breach can contact the company’s customer service team using the free of charge 0800-000-1022 support phone line “available 9:00-17:00, including weekends and holidays,” or via e-mail at [email protected]
While the number of Fast Retailing online customers is not public, “Internet sales made up 10% of domestic sales in the first half of the company’s current fiscal year,” as Bloomberg initially reported.
I like how fast this was disclosed. I don’t like that I learned about it from a non-Japanese news source.