Customers of UK kitchenware firm Lakeland have been told to reset their passwords after attackers apparently accessed two databases holding encrypted data on 19 July.
Although the seriousness of the breach is not known, the Cumbian firm’s managing director Sam Rayner contacted customers by email to apologise, blaming the issue on Java-based software used by its back-end servers.
"Lakeland had been subjected to a sophisticated cyber-attack using a very recently identified flaw in the Java software used by the servers running our website, and indeed numerous websites around the world," wrote Rayner.
"This flaw was used to gain unauthorised access to the Lakeland web system and data," in a comment that appears to shift some of the responsibility to the company hosting that server.
Rightly or wrongly, the firm clearly feels it has been left at the mercy of technological issues in Java.
“This has occurred despite the best efforts of ourselves and the industry-leading IT company that runs our website for us to use the best security systems available. We are committed to protecting our customers’ data and will continue to seek additional measures to ensure the integrity of our systems.”
There was no evidence that data had been stolen but Lakeland had decided to ask customers to reset their account access as a precaution even though the databases had been encrypted.
Java is a constant theme in security breaches, but overwhelmingly at the client side; a back-end server issue connected to Java ranks as unusual.
Attention will now turn to the flaw that let the attackers in, described by Rayner as being recently-identified. That at least narrows down the range of possibilities.
According to Tal Be'ery of security vendor Imperva, the Apache Struts 2 framework (CVE-2013-2251), publicised ten days ago, was a strong possibility.
“The flaw is considered to be 'highly critical' and allows code execution on the attacked server,” he said. “This underlines, once more, the dangers of third party code. In Lakeland’s case, the culprit was the Apache Struts framework, or another Java related software in case our guess proves to be wrong.”
The Struts vulnerability he mentions has now been patched.
Unconnected with this but on the same general theme, Java SE saw a 40-fix patch in June in the face of persistent criticism that Oracle has not treated software flaws with the urgency they deserve.