I went shopping with my wife at the weekend, and ended up in Top Shop. As she was paying, I noticed something a little disturbing on the counter (so I took a picture):
In case you can't make it out (it was an "under cover" iPhone shot, so the quality isn't great, and I have blurred some bits of it for reasons which will become clear) it was a sheet of paper full of customer names and e-mail addresses, facing the customer. It's for "Top Shop Style Notes" an e-mail newsletter - presumably asking people to subscribe in store.
I was a bit shocked that a major high street store would allow this to happen - firstly, because it is a major breach of the data protection act. They have a duty to keep personal data secure, and something either in their systems or training isn't ensuring this. Putting the real names and e-mail addresses of young women on public display probably isn't a good idea in anyone's book.
Secondly, it would be an absolute free lunch for phishers. Imagine (if you will) that someone less public spirited than me was to:
1. Snap the list of names and e-mail addresses with a camera phone
2. Send an e-mail to all the people on it saying something like:
Dear FirstName [we have their real name on the sheet]
Thank
you for your recent purchase [it's safe to assume they purchased
something since their name was behind the till] at Top Shop in York
[this is where we picked up the information] last Friday [they have
conveniently dated the page].
Unfortunately we made an error
when processing your payment and have overcharged you by £5.47 [or any
other random amount]. We would like to refund this to your payment
card. Please visit topshoprefunds.com [which the scammer has set up
earlier] and enter your card number. Your refund will be processed
within 24 hours.
The phishing site would be set up to look like the official Top Shop site, but would ask the user to input their card details, which the scammer would then use or sell on. Barring those who paid with cash rather than a card, this is a fairly convincing message (it contains information only Top Shop should know), and I suspect would get a fairly high rate of success. There were 14 names and addresses on this sheet: multiply this by the number of tills and the number of branches of Top Shop, and there could be thousands of customers details potentially being leaked every day.
The assistant was very keen to try and sell us a store card. Judging by the disregard Top Shop appear to have for the security of personal data, and the amount of information you need to give to submit a credit application, I'm very glad we declined the offer.
Write a comment