If only they'd put a sign on their website saying "No user data left on this site". That usually deters most would be ne'er-do-wells where vans are involved.
AnyVan confirms digital break-in, says customer names, emails and hashed passwords exposed
Anyvan, the European online marketplace that lets users buy delivery, transport or removal services from a network of providers, has confirmed it was the victim of a digital burglary that involved the theft of customers' personal data. The company wrote to customers mid-last week to inform them of a "breach of security …
-
Tuesday 19th January 2021 10:07 GMT oiseau
The only way
This is something that has become so frequent that no one is in the least surprised anymore.
A huge data breach?
Thousands of passwords and (most important) personal and banking data stolen?
Move along now, nothing new here, happens all the time.
The only way that this will eventually stop is to heavily fine the company that allowed this to happen.
We can't continue to be so naïve as to think that, in this day and age, these things just happen.
No ...
They happen because some DH beancounter calculated the risk vs. the cost of having a secure system and decided that, given lack the penalties involved, it was a good deal to take the risk.
And some bigwig approved it.
Of course, we all know that given enough time and resources, any secure system could eventually be breached.
But a severe penalty eg: 50% of the previous year's profits and 100% in a recurrence would put real fear in any CEO's mind.
The result will be that systems would never again be breached due to incompetence and greed.
O.
-
Tuesday 19th January 2021 10:43 GMT Anonymous Coward
Re: The only way
That's really not practical though.
My company stores minimal customer data which is secure *to the best of my knowledge*, but my bugs and mistakes notwithstanding, I'm still relying on at least the following (in no particular order) to be secure in the first place:
My hosting provider.
Linux.
The programming languages and libraries that I'm using.
MySQL.
All third party libraries I'm using. (Not many, and nothing on critical paths, but there are some.)
My payment provider.
I do the best I can to ensure that any data I manage is secure. But there are so many unknowns here.
If my company were to be arbitrarily fined due to a bug in one of the technologies I'm using, how is that fair? The only way I could be 100% responsible would be if I hosted my websites and databases on my own machines, running 100% my own code from the BIOS up. Which is never going to happen for 99.9999% of companies out there.
In your scenario, no third party library with any form of liability disclaimer would ever be used ever again. And in fact most third party library developers would probably stop from fear of being sued to smithereens if (and when) a vulnerability was exploited.
-
Tuesday 19th January 2021 11:47 GMT Warm Braw
Re: The only way
That's really not practical though
At one time, that was commonly said about putting guards on dangerous machinery. Making people liable proved it was extremely practical.
I'd like to see the judge's face when someone claims to have taken reasonable steps to protect his customers' data by relying on code whose origins are indeterminate, whose accuracy he hasn't personally attempted to verify and for which no-one else is prepared to accept responsibility.
-
Tuesday 19th January 2021 17:34 GMT Doctor Syntax
Re: The only way
"relying on code whose origins are indeterminate, whose accuracy he hasn't personally attempted to verify and for which no-one else is prepared to accept responsibility"
The open source code the GP mentions certainly makes the first two possible. It also makes it possible for respected 3rd parties to verify.
Proprietary code, of course, is likely to fail on all three counts.
-
-
Tuesday 19th January 2021 18:59 GMT Claptrap314
Re: The only way
I believe the term that you are missing is "negligence". It is negligent handling of customer data which is being complained against. That's what is meant by "allowed".
But if giving 3rd party software access to customer data without making any attempt to validate the suitability of said software is not negligent handling of customer data, what exactly is?
-
Tuesday 19th January 2021 20:36 GMT Anonymous Coward
Re: The only way
Yes, but where do you draw the line?
Is it negligent not to verify and understand every line of MySQL? Or every line of Linux? Or the standard libraries and language extensions that my hosting provider enables by default - and that I need to perform even the most basic of tasks a lot of the time? Look at the problems uncovered in OpenSSL a few years ago. There is no guarantee anywhere that any of the above aren't likely to contain exploits that could ultimately cause my customer data to be stolen.
But as I said before, that level of verification simply isn't practical.
Which is my point. If my company is to be fined for every incursion I have to be able to point the finger at the person or persons responsible. (Assuming it's not my code that's at fault. If I'm directly to blame, that's on me, of course.) I don't have control over any of the safeguards my hosting provider has put in place. Will they compensate me? Somehow, I doubt it.
And so the flip side of that is how do you prove negligence with any of the above?
-
Wednesday 20th January 2021 22:11 GMT Claptrap314
Re: The only way
When HearBleed came out, the response of my sysadmin buddies (at Google) was, "Yeah, OpenSSL is a hot mess. That's why the forks are out."
Which is exactly the sort of thing that I'm talking about. There is a piece of code being relied on all over the place which is known to be a huge problem, and yet people are deliberately carrying on as if there is no problem. In any other industry, the response to this would be eye-watering lawsuits.
It's enough to make me serious consider strict liability.
-
-
-
-
Tuesday 19th January 2021 12:02 GMT codejunky
Re: The only way
@oiseau
"The only way that this will eventually stop is to heavily fine the company that allowed this to happen."
Why? The company isnt the criminal. Someone was recently caught in a US airport living there for 3 months and entering restricted areas. Should the airport be prosecuted over someone elses actions?
Do we prosecute victims of burglary and accuse them of allowing it to happen?
Assuming reasonable care which is all we can all do in every aspect of our lives we cannot assume things are unbreakable by people who will plug away at targets out of curiosity or malice until they get in.
The security must withstand every attack. Only one attack must get through. Anyone feeling that godlike needs an ego check.
-
Tuesday 19th January 2021 13:53 GMT Jimmy2Cows
Re: The only way
For the airport case, the guy went undetected for 3 months which is a serious flaw in airport security and someone should definitely be held accountable. So yes, in some cases there needs to be definite accountability.
But we aren't discussing airport security. This is about security of customer data on PCs and in servers and data centres, and anyone hosting such data is obliged to look after it. Too many firms pass the buck rather than proactively attempting to ensure and verify data security, hand waving at the cloud host or the OS or the ISP or whichever.
Such deferred responsiblity cannot continue, and one way to improve things is to ensure the cost of failure to secure is significantly greater than the cost of securing. Is it the only way? Perhaps not. But history shows time and again that many firms will never act unless threatened with the legal equivalent of a really big LART.
-
-
Wednesday 20th January 2021 09:37 GMT codejunky
Re: The only way
@Doctor Syntax
"Nobody's blaming the victims here. The victims are those whose data was copied, not the company that was supposed to have been safeguarding them."
Except for the damage to the company. Whatever else gets stolen from the company, violating and potentially adding holes to the security, running damaging software on compromised systems not to mention reputation.
For anyone seriously thinking about this as a solution I suggest reading The Art of Intrusion- https://www.amazon.co.uk/Art-Intrusion-Exploits-Intruders-Deceivers/dp/0471782661/ref=sr_1_1
There must be a reasonable effort made to secure systems but if people cant get their heads around computers not being inherently secure then they should probably go back to school.
-
-
-
-
Tuesday 19th January 2021 19:41 GMT Pascal Monett
Network Monitoring/Intrusion Detection Systems
It is beginning to seem obvious that if you are an important company with Internet access these days, you need to have an IDS.
It took three months for AnyVan to discover that they'd been hacked into. To me, that clearly indicates that they had no IDS and weren't monitoring their network activity properly.
I guess they should be thinking about that now.
Oh, and no "we take the security of your data very seriously" ? You're not playing by the rules, AnyVan !
-
Tuesday 19th January 2021 23:52 GMT Kev99
Another business that would rather save a few quid by publishing its proprietary, confidential, and personal data on the internet. And anyone with an ounce of brains knows a net is just a bunch of holes held together with string. The net won't even become remotely secure until two things are done. Minimum encryption goes to 513 bit and human are prohibited from using it.
-
Wednesday 20th January 2021 16:19 GMT tiggity
WTF
Neil Brown, tech lawyer at decoded:legal, told us the breach in AnyVan’s case is "pretty limited in scope of personal data" and he could understand why it had opted not to tell the ICO.
Name & email
Pretty major personal data IMHO (as could in theory link to other breaches)
.. and depending on the "cryptographic hash of their password " (a bit more info would help, but if we assume its possible to crack & get password then in theory credential stuffing attacks ahoy as some proportion of users reuse email and passwords across sites even though they shouldnt)
IMHO ALL breaches of personal data should be reported
Biting the hand that feeds IT
