Why does this sound familiar?
Update: It was much, much worse than it seemed at first. New reports suggest that around 10 million accounts were affected, not 1.2 million.
Hackers have attempted to compromise almost six millions credit and debit cards, having gained access to systems belonging to Dixons Carphone. The data breach was revealed today by Dixons Carphone itself, in a statement that said, “As part of a review of our systems and data, we have determined that there has been unauthorised access to certain data held by the company.”
Fortunately, the vast majority of these were protected by chip and PIN, and no critical data, like PIN numbers or CVVs (card verification values) were leaked. However, “Approximately 105,000 non-EU issued payment cards which do not have chip and pin protection have been compromised.”
So far, Dixons says there has been no evidence of fraud as a result of the breach, and the relevant card companies have been notified, so hopefully, this will be where this case ends. Not that that would make it okay, of course. And it wouldn’t excuse Dixons for the separate breach, also mentioned in its statement, in which “1.2m records containing non-financial personal data, such as name, address or email address, have been accessed.” Again, Dixons Carphone says no fraud has occurred as a result of the breach.
Who? What? Why? Huh?
Notably missing from its statement are any details about how and, crucially, when these breaches occurred. As well as requiring data controllers and processors to have adequate cyber security, the GDPR (General Data Protection Regulation) states that significant data breaches like this should be reported within 72 hours, or else fines from the ICO (Information Commissioner’s Office) may follow.
As has been shown on numerous occasions, many companies will do their best to keep data breaches under wraps. Like when Uber had the details of 57 millions customers stolen, and then chose to hide that fact for more than a year. Or that time, in 2014, when Yahoo lost the data of 500 million of its customers to hackers, but only owned up to it in 2016.
Ah, good times...
There is, however, nothing to suggest that Dixon Carphone has been sitting on this information. Indeed, Carphone Warehouse - part of the same group, of course – suffered a similar attack in 2015, in which the data of millions of customers and thousands of staff was pilfered, and by the very next week it had both reported the incident and gone public with it. That didn’t stop it being fined a tidy £400,000, but it’s still better than trying to sweep it under the rug and then acting surprised when the ICO inspectors trip over the bump.
At this early stage, it’s not known how the criminals gained access to Dixon’s systems, but in the 2015 case, the out-of-date WordPress builds on which Carphone Warehouse’s websites were based were found to be the cause. As the Information Commissioner, Elizabeth Denham, said at the time, “A company as large, well-resourced and established as Carphone Warehouse should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.”
So what should Carphone Warehouse have actually done? It should have kept its websites up to date, of course, checking on their status on a regular basis. And if that was beyond the abilities or time of its staff, it could have easily tried a managed service provider (MSP). Under an MSP model, its systems would have been constantly monitored, and things like out-of-date content management systems would have been flagged before they led to problems.
Could an MSP have saved Dixons Carphone? Maybe, maybe not. It’s impossible to say at this point. But what’s clear is that reactive approaches to IT and cyber security, while important, can by their very nature only be deployed once the damage is done.
In an age when the sanctity of personal data is paramount, that simply may not be good enough any more.
If you're concerned about the state of your own IT or cyber security, please give us a call on 0333 900 9050 or email firstname.lastname@example.org. We'd be happy to discuss your requirements with you and find a solution that suits your business and your budget.