Plenty of businesses have struggled to weather the coronavirus storm. In June, popular chains Monsoon and Accessorize (both owned by the same company) briefly went into administration before they were quickly bought out.
Unfortunately, this isn’t the only difficulty facing the firm. New research has shown that the company’s servers have a security hole which hackers could easily exploit to access customer and staff details, as well as use ransomware to encrypt that data – just as happened to Travelex on New Year’s Eve 2019 – as well as delete backups and disable antivirus and other security tools.
VPNpro carried out the research and found that an out-of-date VPN was responsible. The old version of the Pulse Connect Secure VPN sever has a known vulnerability which allows a hacker to access data on the servers without having to log in.
In fact, the investigation found a list of employee username, unique IDs and encrypted passwords before it had even confirmed that the vulnerability existed.
Once it was confirmed, the team were able to get inside Monsoon’s internal servers (even bypassing the two-factor authentication it had enabled for its VPN portal) and see sales data, minutes from meetings, and other business data. More worrying for Monsoon customers was the following:
- 45,000 customer names and email addresses & countries
- 65,000 reward card & voucher numbers (many expiring in 2021)
- 10,000 customer records with names, emails, addresses and phone numbers
VPNpro says it has “attempted to contact Monsoon multiple times via multiple channels” and has had no response. It even left a text file on the server which reads “Your Pulse Secure VPN server is vulnerable (CVE-2019-11510). Please fix it as soon as possible.”
And unlike most vulnerability disclosures which are only made public once the holes have been patched, Monsoon’s servers remain hackable.
All the company needs to do is to update its VPN to a newer version.
What can you do if you’re a Monsoon Accessorize customer?
Unfortunately, there is nothing you can do to prevent your details being stolen and sold on. If the problem isn’t addressed, there’s every chance that will happen.
Either that or the hackers will use ransomware and the new owners will face paying a huge sum to get the data back, just as Garmin reportedly had to do recently.
And this could cause problems in the company’s retail stores if sales are dependent on accessing those servers.
All you can do is to use an online service such as haveibeenpwned.com to find out if your email address has been included in any data breaches. There are also paid for identity protection services which will monitor dark web pages for you in case any of your details are spotted for sale.
You can’t stop that from happening, but an early warning means you can change your password(s), keep a close eye on related bank accounts and credit card statements to limit the damage. Alert your bank, too, as it may be able to offer protection.
You should also be vigilant and watch out for phishing emails which appear to come from Monsoon Accessorize and may trick you into visiting a fake website to get you to enter your account details or even financial details.
Related articles for further reading
Author: Jim Martin, Executive Editor
Jim has been testing and reviewing products for over 20 years. His main beats include VPN services and antivirus. He also covers smart home tech, mesh Wi-Fi and electric bikes.