What do Calamity Phone Warehouse and Twattwat have in common ?
Oh yeah, Charles Dunstone or should that be Duncestone
Carphone Warehouse has been handed one of the largest ever fines – a whopping £400,000 – from the UK’s data protection watchdog after exposing the details of millions of its customers. An investigation by the Information Commissioner’s Office found a “striking” number of “distinct and significant inadequacies” in the phone …
“very sorry for any distress or inconvenience”
Clear they can't get away with the ritual "only a few" so we get the second line of defence in weasel words: "any"(implying there may be none) and avoidance of the word "damage".
Will journalists please learn to follow up this crap with searching questions?
Oh yes, "lessons have be learnt" and that lesson is that paying the fine is cheaper than securing their data.
Fines should be realistic and punitive, a minimum of £1 per user who has information compromised, doubling for any subsequent offences. After 3 such offences prison time should be an available penalty.
Best get that penalty in before GDPR comes into force in May...
When the EU General Data Protection Regulation (GDPR) is enforced from 25 May 2018, breached organisations will find the fines they face increasing dramatically.
From a theoretical maximum of £500,000 that the ICO could levy (in practice, the ICO has never issued a penalty higher than £400,000), penalties will reach an upper limit of €20 million or 4% or annual global turnover – whichever is higher.
Even with Brexit, this legislation will be copied into UK law word for word (otherwise the UK wouldn't be deemed a safe harbour of data).
It's the wrong mentality if you ask me, START at £500,000 and then reduce it to show where good practice was used, where speedy remediation was put into effect, where they notified ICO and those affected quickly.
Don't start at £0 and count up, that's the wrong way. If companies aren't fast at notifying people, don't bother to do anything quickly and didn't in the past then they should always be hit with the maximum.
penalties will reach an upper limit of €20 million or 4% or annual global turnover – whichever is higher.
No, potential penalties will. But other UK and EU regulators have had 10% of turnover fines for years, few fines have ever come anywhere near the limit. Post GDPR, we can expect that fines will go up significantly. But I'll be amazed if the actual fines are anywhere near the potential maximum.
" other UK and EU regulators have had 10% of turnover fines for years, few fines have ever come anywhere near the limit.
I'll be amazed if the actual fines are anywhere near the potential maximum."
What happened with the TalkTalk fines was an example of this. TalkTalk got a significant reduction for "full cooperation".
It's interesting that, from the report, the access was via valid WordPress login details, even though the version of WordPress itself was vulnerable.
That points to either a disgustingly easy user/pass combo (admin/password) or an inside job where someone was possibly paid to disclose server details.
Affected information included the names, dates of birth, addresses and phone numbers of more than 3 million customers; the staff records - including car registration numbers and work usernames - of 1,000 employees; and historic transaction details - like card numbers and expiry dates - for March 2010 to April 2011 for 18,231 payment cards
So can we assume the card data was in plaintext?
The hacker then located credentials in - yep, you guess it - plaintext, which they used to search and access information in numerous databases, including those containing personal data.
Plaintext *shakes head*, how stupid can you be?
The issue here is not the plaintext credentials, but credentials being on an internet facing server at all.
Looks like a shitty design decision to just establish a full database connection to the backend with full access to service the front end requests.
Whereas the front end provided authentication should be piped through to the backend to establish a data access session in the context on the front-end user that wants to look up data.
This would limit any data loss specifically to users that logged in during the breached period, as well as giving the opportunity to limit or redact data (like full credit card numbers in stored transactions) when presenting it to the frontend.
You make the assumption that the system holding this was internet facing.... it might not have been.
Sure, the system compromised initially by the exploit was, but after that.... could easily have been anywhere in their network if they hadn't properly isolated internet facing systems (and most rarely do to the level required) and even then its possible to gain deeper access in other ways...
>> Whereas the front end provided authentication should be piped through to the backend to establish a data access session in the context on the front-end user that wants to look up data.
It is fairly normal to have a single user account used by a web application to CRUD data from a database, with roles enforced within the web application.
The problem here seems to be that the permissions for that database user weren't tightly scoped to the database/schema supporting the Wordpress instance, it was presumably a root account with access to EVERYTHING on the db server.
This is rather sloppy.
Unless they were using Wordpress to store personal data on CW customers, which would be an "interesting" approach.
More disingenuous Corporate-speak! Here's what happened.. You ran your tech ops on a shoestring with sheer indifference, because you knew quite cynically, that the cost of fixing it wasn't worth it versus possible looming fines. Just the cost of doing business. Will GDPR fix this lazy reckless???
I was amazed when I walked into my local Carphone Warehouse outlet in the Parkhead Forge retail park, Glasgow.
They still have at least four CRT telly's above them behind the counter (yep, you read right CRT).
I stood there gawping at what a baldy bastard I looked like on some sort of bulbous 24" (or thereabouts) colour TV screen from the nineties.
The missus did all the talking (switching from one shitty broadband to another) so I never clocked their EPOS and can't comment on that.
I just pointed and stared at the shiny reflective screens. In awe of the flickery glow. I pondered the magic, thinking of the electrons being magnetically aimed, then fired in succession towards the screen, at the speed of light, row after row and how it made the back of my head look like a full on friar tuck.
I also remember it happened to me years ago, walked into the offie's* on Duke Street, stood in the queue staring at the CCTV telly, when I got to the front the lassie had obviously noticed the staring and said "Aye, everybody looks baldy in it, even the wummin. Wit dae ye wan't"**
* Offie's: Shop where you buy booze to take to your home/mates/party
** Translation: "Yes, everyone looks as if they may be going a bit thin on top, including the ladies. Can I get you anything sir"
So...what do you have to do to cop the maximum fine ?? Clearly has to be worse than exposing the details of three million (!) people. And how come their customers get no compensation (I am not a customer) ? And then Carphone Whorehouse, TalkisCheap and whoever is next get to carry on as though nothing has happened. If the same people remain in charge and therefore continue the same lazy culture and general ineptitiude regarding security of important data then it's only a matter of time til it happens again. Both companies continue to advertise allegedly great deals and most people will be totally unaware of what has happened. In our supoosedly advanced society we manage to have an inspection regime with gradings for food outlets (important), washing machines (useful but hardly critical) and sundry other applicances but nothing for ISPs, telcos and the like ?? Why not implement a system of grading on IT security, reviewed annually, which they have to display in all advertising ? Yes I know that's more bureaucracy but this is people's personal data we are talking about here - way too many people suffer from theft of personal data. Discounted £400K fines are hardly going to change the prevailing culture that people don't matter. Having to advertise a rubbish grading for a year might make companies think and might help people ask some questions when dealing with these companies.
I'm sure there are better ideas out there, just my suggestion from frustration that nothing will change if all we do is dish out a few paltry fines occasionally.
I am still of the opinion that the proper way to handle such punishment is not to fine them, but to force them to put into an escrow account the cumulative maximum amount that could potentially be stolen from each customer bank account, credit card, etc. exposed and identifiable due to the breach. Which will be used to directly compensate any actual losses incurred by customers. Only after something like 5 years time will any remaining funds be returned back to the company, after removal of a 10% handling fee "fine". Further, for any criminal charges brought against hackers, identity thieves, etc. the head of IT and every manager above which can be proven to have known about their internal bad practices can be held legally liable as being complicit in / an accomplice to the actions of the hackers, identity thieves, etc. as without their negligence and indifference these breaches would not be possible. With a law like that, companies will quickly take proper security practices seriously and injured parties will be properly covered.
> the proper way to handle such punishment is not to fine them,
>but to force them to put into an escrow account the cumulative
> maximum amount that could potentially be stolen
With a law like that, Directors will plunder as much as they possibly can out of the business and then declare it bankrupt before anything is paid out, and injured parties will get nothing...
Biting the hand that feeds IT © 1998–2020