back to article Phisher folk reel in Computacenter security vetting mailbox packed with sensitive staff data

The third-party mailbox used by Computacenter employees and contractors to deposit data for security clearance applications has been hacked and used in phishing scams. The company, one of Europe's largest resellers, counts some of the biggest names in financial services among its corporate client base, and sells to a raft of …

  1. Pascal Monett Silver badge

    Oh really ?

    "However, these logs cannot tell us precisely what was in the mailbox at the time of the attack or whether the data was exported or just deleted,"

    I understand that the logs can't, but the backup of the mailbox from the day before the hack surely should.

    You have the backup, right ? Surely you specified in the contract that the mailbox needed regular backups, right ? A solid, international corporate structure advocating data security would not think of signing a vetting contract without proper backup procedures, wouldn't it ?

    Why do I have the impression that I'm pissing in the wind, here ?

    1. 0laf Silver badge

      Re: Oh really ?

      Loss of the avialability of that data would also be a breach of the GDPR on top of the loss of confidentiality (assuming their security was found to be inadequate).

    2. Doctor Syntax Silver badge

      Re: Oh really ?

      Maybe they didn't keep backups. Too risky. Somebody might get access.

    3. Anonymous Coward
      Anonymous Coward

      Why do I have the impression that I'm pissing in the wind, here ?

      Sorry, but it's because you are pissing in the wind. Possibly even into the wind.

  2. Blockchain commentard

    Perhaps Computacenter should have used their own staff to look after the mailbox security. The old saying "It's always the weakest link that fails first." seems apt.

    1. Anonymous Coward
      Anonymous Coward

      I hope it is only Cobbler's children syndrome. If not then all their customers should be asking some serious questions. Is it safe to assume all their customer data in this mailbox was encrypted?

    2. NoneSuch Silver badge
      FAIL

      So failing to protect personal information, they get hacked and demand MORE personal info like passports,etc. to make it right?

    3. Templogin

      Cash

      Money may have been part of the decision!

  3. Anonymous Coward
    Anonymous Coward

    Computacenter said it initiated the Group Information Assurance compliance methodology

    I get that cyber security is a real thing and the threats and real world consequences are real too.

    But why does everyone in the cyber security industry seem to be selling snake oil? Would you willingly hire a cyber security guy who said things like this? Even if they hadn’t just been hacked themselves?

  4. adam payne

    Computacenter is offering a 12-month free ID monitoring service

    Oh that tired old olive branch.

    but to access it staff and contractors need to email the UK Vetting Team.

    They did that before and look where that got them.

    1. Anonymous Coward
      Anonymous Coward

      So long as it remains consequence-free companies will continue to pay fast and loose with personal data.

      Someone signed off on the use of that external service without bothering to do any due diligence. Maybe the penalty could be complete disclosure of that person’s data, and everyone above them in the organisation.

      1. Anonymous Coward
        Anonymous Coward

        Nice

        Having a happy moment thinking about your suggestion here.

        Could we add some time in the stocks, with plentiful supplies of rotting fruit available?

        Please?

      2. Phil Kingston

        Yep, until we see custodial sentences actually handed out to CIOs they'll continue to be these stories.

    2. Anonymous Coward
      Anonymous Coward

      A place not to far from here was spear phished last year and data was taken. In that was personal info such as name, bank details as someone from finance had left a spreadsheet with expenses stuff in it somewhere on a network share it shouldn't have been on.

      Then during the mop up we were told that we should sign up to some sort of fraud protection service, then put the fee though expenses...

  5. AlexGreyhead
    Coat

    TITSUP

    Total Inability To Secure Users' Passports?

  6. fnusnu

    Whey are they even asking for this sort of data to be sent via email in the first place?

    1. Anonymous Coward
      Anonymous Coward

      I was cheap and someone elses problem when it broke or got hacked...

  7. jon909

    I'd bet money on this "mailbox" being a free Gmail or Outlook.com account. Compliant my arse!

    1. Lord Elpuss Silver badge

      You'd almost certainly lose that bet.

  8. Andy The Hat Silver badge

    You cannot be serious ...

    "Whilst we believe that the motive for the attack was disruptive rather than exploitative, ..."

    When the data available and potentially taken has such fundamental security implications, how can that comment even be even considered let alone made?

    1. 0laf Silver badge
      FAIL

      Re: You cannot be serious ...

      Well they can't say "OMG you're all soo fucked now!".

      So you get the standard disingenuous half truths a la Dido Harding.

    2. a_yank_lurker Silver badge

      Re: You cannot be serious ...

      My reaction is the miscreants are targeting people with security clearances for espionage activities. This is a long game by some spookhaus looking to find someone to turn somehow to get the classified goodies.

    3. Anonymous Coward
      Anonymous Coward

      How can that comment even be even considered let alone made?

      Because such weasel words are balm to the ears of those that speak them, and as yet, society has not seen fit to allow citizen actioned termination of such lying b*stards' existence.

      I live in hope though.

      1. Doctor Syntax Silver badge

        Re: How can that comment even be even considered let alone made?

        "Because such weasel words are balm to the ears of those that speak them,"

        And because nobody follows them up with searching questions such as "Why are you talking bollocks?".

  9. Anonymous Coward
    Anonymous Coward

    Enquiring minds

    Who was the third party supplier? Which other customers were affected?

  10. Doctor Syntax Silver badge

    How difficult can it be? Download mail as it arrives. Store it locally. Delete from the online server. The more sensitive it is, the more you protect your local storage.

    1. The Mole

      Sensitive personal information shouldn't be transmitted in plain text over email to begin with, particularly to a third party mailbox where it will be travelling across the open internet.

      Its not like a secure webform/storage is hard and has the benefit the data likely ends up in a more normalized and efficient to process format. Though I wouldn't be surprised if they used an externally hosed one of these and then it emailed out the resultant uploads..

      1. Doctor Syntax Silver badge
        Happy

        "externally hosed"

        I guess you meant "housed" but somehow "hosed" seems just right.

      2. Anonymous Coward
        Anonymous Coward

        You are correct, we submit all the information to a portal in normal operation. The email address is used to say "I've just submitted an updated document to the portal".

        However, plenty of lusers will just email their private documents even though they haven't been asked to.

  11. Anonymous Coward
    Anonymous Coward

    I was cleared...

    ...a couple of years back when I worked at CC.

    Then the renewal for SC came through and they wanted as much detail as I'd had to give 10 years previously for DV.

    At which point I let my clearance lapse and left.

    I'd been looking for an excuse to leave the public sector anyway what with the changes to IR35 coming up back then and that seemed like a good way to make me actually do it rather than take the path of least resistence.

    but to access it staff and contractors need to email the UK Vetting Team.

    They did that before and look where that got them.

    Came to say exactly that.

  12. Anonymous Coward
    Anonymous Coward

    Every uk company ever

    Security is the hot potato in any company. It will be passed to the person that doesn't see or care about the consequences of incompetence..

    If that's not possible it will be outsourced.

    Then they will sneer at the abilities of the people that took over the job they were doing while nestling in the snug embrace of their low impact non job.

  13. Crazy Operations Guy

    "Computacenter is offering a 12-month free ID monitoring service"

    I'm just waiting for the day that one of these credit monitoring agencies gets hacked. They are hanging onto a lot of data and any identity theft that results would just be blamed on the initial hack...

    Although putting on my tinfoil hat, I wouldn't be surprised if this has already happened.

    1. Anonymous Coward
      Anonymous Coward

      Re: "Computacenter is offering a 12-month free ID monitoring service"

      I believe it was called Experian

      1. Makyla

        Re: "Computacenter is offering a 12-month free ID monitoring service"

        Equifax - hacked after they were told months prior to them realizing they were hacked.

        All because they failed to realize they were vulnerable due to open source codes being used in their systems.

        1. Phil Kingston

          Re: "Computacenter is offering a 12-month free ID monitoring service"

          Wasn't it that they vulnerable because of *out of date* open source code?

      2. andymbush

        Re: "Computacenter is offering a 12-month free ID monitoring service"

        And Equifax (who where hacked and "gave away" my data) and who offered me free use of their fraud checking service which asked me for even more data like credit card, passport etc so they could scan "the dark Web" etc!!

        Sure, as if I would trust them any more. Stupid or what!

  14. Stevie Silver badge

    Bah!

    So, is this what is meant by "Microsoft Passport"?

    I say, chaps and chapettes, isn't it lucky that these poor sods learned from the experience of others over the last two decades and encrypted all the data on the server as well as ensuring no logical proximity between related documents that could construe an Identity Theft Kit.

    Why is everyone laughing?

  15. Anonymous Coward
    Anonymous Coward

    Mm somebody clicked something

    So given the content of computacenter security blogs etc it seems strange that one of their vetting staff was duped into submitting credentials surely they would of been trained how to spot one...... No amount of security will help if the idiot clicks the link and gives up the password

    1. Anonymous Coward
      Anonymous Coward

      Re: Mm somebody clicked something

      I hate to do this but....

      "...would HAVE..."

      Seriously! Yes!!

      1. 's water music
        Happy

        Re: Mm somebody clicked something

        I hate to do this

        You are fooling nobody here; probably not even yourself.

      2. Tazd007
        IT Angle

        Re: Mm somebody clicked something

        It's the same grammar mistake a phishing mail would use so well done you

  16. Anonymous Coward
    Boffin

    Yep

    If only some brainiac could invent Multi-Factor Authentication

  17. Anonymous Coward
    Anonymous Coward

    Third Party Provider

    The provider of the service to CC has an impressive list of trophy logos on its website. So while the tip-off came from CC, I expect that many other companies are affected by this compromise.

    And remember, kids, your email account is only as secure as your MX record. That's why your password recovery address should always be <username>@gmail.com or whatever and not <myname>@<vanity-domain>.co.uk - if someone wants to destroy your life the starting point is getting hold of your email and the MX record is the softest target.

  18. Anonymous Coward
    Anonymous Coward

    I can guess who wrote that email - weasel words indeed ...

    I would think this is just the tip of the iceberg at CC. Quite the least security focused organisation I ever had the displeasure to work for.

  19. clintos

    pen before knowledge scene again...

    The typical reason behind this is, your non technical pen pusher in finance who signs off as, we will go with this cowboy outfit, as they are the cheapest. Bring in the GDPR lawyers now, to spanked the pen pushers ass.

  20. FlamingDeath

    Outsourcing...

    Because we’re shit AND incompetent

  21. Anonymous Coward
    Anonymous Coward

    The ICO won't act, even if Computacenter were negligent ...

    ... as long as Computacenter are paying the ICO off with "data registration" fees.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020