Ensuring customer data is secure for a global ecommerce retailer

The company

Selling a book somewhere in the world every two seconds, the World of Books Group is the UK’s largest second-hand book retailer. The Group has grown rapidly from a start-up into a global enterprise and now comprises three e-commerce businesses - World of Books, Ziffit and Shopiago - each supported by their own technology.

As an exclusively online retailer, World of Books processes a high volume of sensitive data including customers’ personal and financial details - making them an attractive target for cybercriminals.

The background

World of Books have always taken a security-first approach but it became clear that as the business started to scale, they would need to invest in additional proactive security measures to maintain both growth and consumer trust. Their initial priority was to find a reputable penetration testing partner for the main ecommerce World of Books website and with their IT team located in Hungary, they required a partner whose test methodologies adhered to international standards.

The solution

World of Books selected Zoonou as their penetration testing partner following a discovery consultation and solution proposal. Our CREST accreditation provided the Hungarian and UK teams with the confidence that we conduct and document penetration testing in accordance with the highest international legal, ethical and technical standards.

Zoonou’s website penetration testing follows a robust and systematic methodology. It provides our security test analysts with a framework to ensure that all aspects of the website are examined for vulnerabilities or weaknesses that could lead to the website becoming compromised.

'Zoonou provided penetration testing for our multiple website store fronts, stretching globally. They offered great insight and service, guided us through defining the scope and provided coverage of the OWASP Top 10 vulnerabilities.'

- Project Manager at World of Books

Prior to the main test effort, we performed a reconnaissance of the website to gain more insight into its structure and functionality and worked closely with World of Books to define the scope of testing. This ensured that the test execution was targeted against critical areas such as the checkout and customer account login. Using the OWASP Top 10 as a foundation to the test approach, the website was tested for a variety of issues including session management flaws, insecure configurations, and flaws in encryption.

The results

During testing, potential vulnerabilities were shared with the World of Books teams via an online issue tracker. Once the test execution concluded, a full report was delivered securely to World of Books to protect the highly sensitive test data. With an executive summary and technical breakdown each team received the most relevant information, enabling them to prioritise and remediate identified vulnerabilities quickly.

'A big reason we went with Zoonou was the summary report, which was comprehensive and delivered to us securely.'

- Project Manager at World of Books

The penetration test enabled World of Books to mitigate risks associated with website security weaknesses and demonstrate to their online customers and charity partners that they take information security seriously ensuring they are compliant with regulations including the Data Protection Act and GDPR.

The success of the first penetration test engagement in 2019 has subsequently led to Zoonou performing regular penetration tests on the main World of Books website and across the rest of the Group’s platforms and applications.