boohoo Group

boohoo enhances online shopping by leveraging Cloudflare to protect its multi-brand, geographically dispersed environment from bot attacks and malicious API access

boohoo Group's innovative global brands targeting young, value-oriented customers have made the company a leader in the ecommerce fashion market. Based in Manchester, England, the company generates nearly £2 billion in sales annually.

The group’s 13 brands, including PrettyLittleThing, Nasty Gal, and Debenhams, target a market of more than 500 million potential customers around the world. All brands, except Debenhams, conduct business solely online.

As an online retailer, boohoo faces many challenges, including intense competition, tight margins, and constantly changing customer interests and expectations. To ensure an optimal customer experience, the IT organization has developed a formidable technology platform comprising best-in-class systems. The platform enables boohoo to operate its huge volume business with efficiency and accuracy. Protecting that platform from cyber attacks is essential for securing customer and company data from unauthorized access and streamlining the shopping experience.

Challenge: Mitigate the risk of cyber threats that could disrupt ecommerce and affect revenue

boohoo continuously invests in systems, infrastructure, and technology to ensure an optimal and secure online shopping experience. In particular, the company is implementing cyber security tools to reduce the risk of application, system, and operational downtime that might affect trading and operations. The information security team is responsible for securing mobile apps and traditional websites for the company’s portfolio of 13 brands.

The security team became concerned when the customer service department reported a growing number of complaints. Some customers were unable to access accounts. Others received email messages indicating someone was attempting to set up accounts in their names.

According to Dorian Skeete, boohoo Group’s head of information security, the calls prompted an investigation that discovered malicious bots behind credential stuffing, and uncovered more than 100,000 fake accounts. The investigation and subsequent deletion of fraudulent accounts was largely a manual effort that took more than six months.

“During that time, we also had to take care of business as usual, which includes keeping the customer experience at exceptional levels even during peak trading times such as Black Friday,” Skeete says. “We quickly realized that it isn’t sustainable to continually suffer those kinds of issues and fix them manually.” So boohoo set out to find a more robust solution to address the current issues and to provide a foundation for a long-term, cohesive security strategy.

The company had worked with Cloudflare several years earlier after boohoo acquired Debenhams, a brick-and-mortar retailer with virtually no online presence. boohoo built the Debenhams ecommerce platform from scratch on AWS CloudFront, leveraging that platform's content delivery and security capabilities. The security team quickly realized that managing the security suite was too manual and it didn't provide an adequate level of protection against automated bot traffic. boohoo then turned to Cloudflare to provide the security layer for debenhams.com.

Solution: Protecting mobile apps and websites with Cloudflare API Gateway and Cloudflare Bot Management

After a careful evaluation of possible vendors, the security team chose Cloudflare. Skeete was already familiar with Cloudflare due to previous consulting engagements. His former clients raved about Cloudflare’s capabilities and support.

While price point was an important factor in boohoo’s decision to go with Cloudflare, the breadth of Cloudflare’s core services — including DDoS mitigation, Web Application Firewall (WAF), Advanced Rate Limiting to stop requests from overloading a server, and bot management — also played an important role in sealing the deal.

The security team was particularly interested in API Gateway because today’s threat actors increasingly target APIs to perform unauthorized actions and steal data. Cloudflare API Gateway provides client certificate-based identity and schema-based validation to protect both mobile apps and websites.

Because boohoo customers are more likely to shop on mobile devices than on traditional websites, the security team’s first priority was rolling out Cloudflare Bot Management and Cloudflare API Gateway to the mobile environment. “We needed to harden protection for those apps by Black Friday, which was just three months away,” Skeete recalls. “We met that deadline and in another three months, we had those services in place for our websites completed as well.”

boohoo runs Cloudflare Bot Management and API Gateway through Salesforce Commerce Cloud (SFCC) using Cloudflare Orange-to-Orange (O2O). This enables boohoo to connect its origin servers to the SFCC Cloudflare-based network while still protecting them.

Delivering immediate results

“Considering how complex our surface is — with mobile and traditional websites, 13 brands, and so many geographies — it’s impressive how quickly and easily we implemented Cloudflare and how Cloudflare supported us throughout the entire effort,” Skeete says.

The company saw immediate results. With Cloudflare in place, the usual holiday shopping season went without a glitch. After the peak season ended, the security team compared results to the previous year and found that security issues such as bot attacks and abusive traffic were down by as much as 90%. Reducing bot attacks alone saved an enormous amount of the team’s time and reduced stress.

The dramatic security improvements have brought peace of mind not only to the security team but to the company as a whole. “It reassures everyone that we're moving in the right direction,” Skeete explains. “It obviously means fewer headaches and fewer resources allocated to fighting off attacks. Our CTO summed it up after the holiday shopping peak, saying that ‘from an IT and security perspective it was relatively quiet, and that’s what we like!’”

The security team believes that better protection against attacks also improves performance, which makes shopping with boohoo more enjoyable. That, in turn, has a positive impact on revenue.

The team has assessed the return on investment of the work done at Debenhams. A comparison of the cost of the AWS infrastructure before and after introducing Cloudflare showed that Cloudflare essentially paid for itself within six to seven months.

Strengthening governance

The security team is taking full advantage of the Cloudflare dashboard to obtain useful statistics and gain much needed information such as the number of bot attacks over any given time period.

This reporting capability supports a new two-pronged governance structure. The first prong is a cross-functional security working team made up of key stakeholders across business departments, including IT, security, legal, finance, and HR. The second prong is a steering group comprising higher level managers and executives.

“I plan to leverage both parts of the structure to inform the board of the latest trends and risks, going beyond retail in general to provide insights specifically related to boohoo,” Skeete says. “We didn’t have a security reporting capability before. Now we can accurately report to senior management as well as keep our security team informed and accountable.”

Setting the stage for a comprehensive security solution

Cloudflare not only mitigates boohoo’s immediate issues, but also provides a foundation for continual strengthening of the company’s security posture. “Cloudflare gave us the bot management we were looking for,” Skeete concludes, “plus it offers a whole suite of other services like Web Application Firewall, DDoS mitigation, and rate limiting. With its breadth of core services, Cloudflare aligns with boohoo’s strategy of minimizing complexity through consolidation.”