VPNpro carried out the research and found that an out-of-date VPN was responsible. The old version of the Pulse Connect Secure VPN sever has a known vulnerability which allows a hacker to access data on the servers without having to log in.

In fact, the investigation found a list of employee username, unique IDs and encrypted passwords before it had even confirmed that the vulnerability existed.

Once it was confirmed, the team were able to get inside Monsoon’s internal servers (even bypassing the two-factor authentication it had enabled for its VPN portal) and see sales data, minutes from meetings, and other business data. More worrying for Monsoon customers was the following:

  • 45,000 customer names and email addresses & countries
  • 65,000 reward card & voucher numbers (many expiring in 2021)
  • 10,000 customer records with names, emails, addresses and phone numbers

VPNpro says it has “attempted to contact Monsoon multiple times via multiple channels” and has had no response. It even left a text file on the server which reads “Your Pulse Secure VPN server is vulnerable (CVE-2019-11510). Please fix it as soon as possible.”

And unlike most vulnerability disclosures which are only made public once the holes have been patched, Monsoon’s servers remain hackable.

All the company needs to do is to update its VPN to a newer version.

What can you do if you’re a Monsoon Accessorize customer?

Unfortunately, there is nothing you can do to prevent your details being stolen and sold on. If the problem isn’t addressed, there’s every chance that will happen.

Either that or the hackers will use ransomware and the new owners will face paying a huge sum to get the data back, just as Garmin reportedly had to do recently.

And this could cause problems in the company’s retail stores if sales are dependent on accessing those servers.

All you can do is to use an online service such as haveibeenpwned.com to find out if your email address has been included in any data breaches. There are also paid for identity protection services which will monitor dark web pages for you in case any of your details are spotted for sale.

You can’t stop that from happening, but an early warning means you can change your password(s), keep a close eye on related bank accounts and credit card statements to limit the damage. Alert your bank, too, as it may be able to offer protection.

You should also be vigilant and watch out for phishing emails which appear to come from Monsoon Accessorize and may trick you into visiting a fake website to get you to enter your account details or even financial details.

Related articles for further reading