An undetected vulnerability in a common open-source library led to one of the UK’s most trusted retail brands facing customer data breaches, regulatory fines, and operational disruption.

HighStreet.com’s Loyalty Rewards Platform relied on software built by third-party vendors. Those vendors used the open-source library jackson-databind, which later revealed a critical RCE (Remote Code Execution) vulnerability. With no SBOM (Software Bill of Materials) and no early warning system in place, the vulnerability went unnoticed until attackers exfiltrated 90 GB of customer data.

In short, an invisible dependency brought the whole loyalty system down.

Root Cause and Missed Signals

• No SBOMs from third-party vendors
• Public-facing API endpoints exposed vulnerable code
• Contracts lacked open source vulnerability SLAs
• HighStreetCom's vulnerability scanning skipped vendor binaries
• No real-time threat intelligence to catch exploitation attempts

Meterian's continuous open-source vulnerability monitoring and automated remediation could have flagged the use of the vulnerable jackson-databind library and reduced the blast radius drastically.

What HighStreetCom Did Next

• Enforced SBOM requirements for all vendors
• Updated contracts to mandate vulnerability disclosures within 7 days
• Integrated Meterian-style software composition analysis (SCA) tools to assess vendor-supplied code
• Launched open-source vulnerability training for PR, legal, and cyber teams

If your organisation integrates software from third parties, you are part of a software supply chain. And without open-source security scanning, you’re operating blind.

Get the Full Story

Understand exactly how the attack unfolded, what warning signs were missed, and what recovery actions were taken

Or schedule a demo to see how Meterian can help you mitigate risks in your software supply chain.