"Late on Friday July 19th", says the email, "we discovered that the Lakeland website was being attacked by hackers in a sophisticated and sustained attack." The company took immediate steps to "block the attack, repair the system and to investigate the damage."
Yesterday, however, it became clear that two encrypted databases had been accessed. Lakeland stresses that "we've not been able to find any evidence that the data has been stolen." However, this would depend on Lakeland's instant alert to the incident (which is implied in the comment 'was being' rather than 'had been' attacked) and its ability to immediately stop the attack from progressing.
If the attack was not stopped in its tracks, it would be wise to assume that data was stolen. Lakeland says the databases concerned are encrypted. It probably means that the passwords contained were hashed; but it doesn't say with what nor whether they were additionally salted.
The company has decided to reset all customer passwords and force users to create a new password next time they log in; adding, "if you use the same password on any other account/s, you should change the passwords on these accounts as soon as possible."
"While Lakeland are now aware of the breach and are looking into exactly what happened," comments ThreatTrack Security Labs in a blog posting today, "anybody affected should keep an eye on their personal information for the time being and hope there is no additional fallout from the attack." Dodi Glenn, ThreatTrack's director of Security, says Lakeland must continue its investigation to find out exactly what happened. "Customers should have the right to know if their credit card numbers were stolen," he commented. "Lakeland and others should take note that being proactive instead of reactive is the best approach, because brand reputation is priceless.”
The Lakeland email suggests that the company is aware of the potential for brand damage, and seems to trying to balance openness with damage limitation. It even, and unusually at this stage in an investigation, gives some clues on how the breach occurred – it was Java. "Lakeland had been subjected to a sophisticated cyber-attack using a very recently identified flaw in the Java software used by the servers running our website."
If the flaw has only recently been disclosed it almost certainly hasn't yet been patched. The likelihood is, then, that Lakeland is just the latest company to fall for a Java zero-day exploit.