Phisher folk reel in Computacenter security vetting mailbox packed with sensitive staff data

Perhaps Computacenter should have used their own staff to look after the mailbox security. The old saying "It's always the weakest link that fails first." seems apt.

Computacenter said it initiated the Group Information Assurance compliance methodology

I get that cyber security is a real thing and the threats and real world consequences are real too.

But why does everyone in the cyber security industry seem to be selling snake oil? Would you willingly hire a cyber security guy who said things like this? Even if they hadn’t just been hacked themselves?

Computacenter is offering a 12-month free ID monitoring service

Oh that tired old olive branch.

but to access it staff and contractors need to email the UK Vetting Team.

They did that before and look where that got them.

Whey are they even asking for this sort of data to be sent via email in the first place?

I'd bet money on this "mailbox" being a free Gmail or Outlook.com account. Compliant my arse!

You cannot be serious ...

"Whilst we believe that the motive for the attack was disruptive rather than exploitative, ..."

When the data available and potentially taken has such fundamental security implications, how can that comment even be even considered let alone made?

Enquiring minds

Who was the third party supplier? Which other customers were affected?

How difficult can it be? Download mail as it arrives. Store it locally. Delete from the online server. The more sensitive it is, the more you protect your local storage.

I was cleared...

...a couple of years back when I worked at CC.

Then the renewal for SC came through and they wanted as much detail as I'd had to give 10 years previously for DV.

At which point I let my clearance lapse and left.

I'd been looking for an excuse to leave the public sector anyway what with the changes to IR35 coming up back then and that seemed like a good way to make me actually do it rather than take the path of least resistence.

but to access it staff and contractors need to email the UK Vetting Team.

They did that before and look where that got them.

Came to say exactly that.

Every uk company ever

Security is the hot potato in any company. It will be passed to the person that doesn't see or care about the consequences of incompetence..

If that's not possible it will be outsourced.

Then they will sneer at the abilities of the people that took over the job they were doing while nestling in the snug embrace of their low impact non job.

"Computacenter is offering a 12-month free ID monitoring service"

I'm just waiting for the day that one of these credit monitoring agencies gets hacked. They are hanging onto a lot of data and any identity theft that results would just be blamed on the initial hack...

Although putting on my tinfoil hat, I wouldn't be surprised if this has already happened.

Bah!

So, is this what is meant by "Microsoft Passport"?

I say, chaps and chapettes, isn't it lucky that these poor sods learned from the experience of others over the last two decades and encrypted all the data on the server as well as ensuring no logical proximity between related documents that could construe an Identity Theft Kit.

Why is everyone laughing?

Mm somebody clicked something

So given the content of computacenter security blogs etc it seems strange that one of their vetting staff was duped into submitting credentials surely they would of been trained how to spot one...... No amount of security will help if the idiot clicks the link and gives up the password

Third Party Provider

The provider of the service to CC has an impressive list of trophy logos on its website. So while the tip-off came from CC, I expect that many other companies are affected by this compromise.

And remember, kids, your email account is only as secure as your MX record. That's why your password recovery address should always be <username>@gmail.com or whatever and not <myname>@<vanity-domain>.co.uk - if someone wants to destroy your life the starting point is getting hold of your email and the MX record is the softest target.

I can guess who wrote that email - weasel words indeed ...

I would think this is just the tip of the iceberg at CC. Quite the least security focused organisation I ever had the displeasure to work for.

pen before knowledge scene again...

The typical reason behind this is, your non technical pen pusher in finance who signs off as, we will go with this cowboy outfit, as they are the cheapest. Bring in the GDPR lawyers now, to spanked the pen pushers ass.

Outsourcing...

Because we’re shit AND incompetent

The ICO won't act, even if Computacenter were negligent ...

... as long as Computacenter are paying the ICO off with "data registration" fees.