High-end fashion retailer Orvis leaked the acocutn credentials of hundreds of internal passwords onto the Pastebin.com website. The exposed information included sensitive IT information such as firewalls and databases. However, the company claims the compromised data is outdated and that no damage or harm occurred to customers.
“The file contains old credentials, so many of the devices associated with the credentials are decommissioned and we took steps to address the remaining ones,” Kimball said in an interview with KrebsOnSecurity. “We are leveraging our existing security tools to conduct an investigation to determine how this occurred.”
Two separate files made their way onto Pastebin.com in a single month. Information included not only passwords for online programs and systems but even a server room safe combination. It appears the source of the leak is not Orvis. A note at the top of the exposed file says “VT Technical Services,” indicating third party involvement.
If that is the case, it would be a startling breach of security that highlights the need for companies to remain vigilant about how the protect their corporate IP. Orvis is a multi-national retail company with stores in both the UK and the US. Many merchants of this type turn to use third-party solution vendors to offboard responsibility to a third party. While that is understandable, they must remember that mistakes happen. Ultimately, the merchant suffers the consequences of data security oversight, even if they were not at fault.
“It’s fairly remarkable that a company can spend millions on all the security technology under the sun and have all of it potentially undermined by one ill-advised post to Pastebin, but that is certainly the reality we live in today,” KrebsOnSecurity commented.