back to article Halfords suffers a puncture in the customer details department

UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher. Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many …

  1. A Non e-mouse Silver badge
    Thumb Up

    Subhead

    Thumbs up for the sub-head.

    1. 2+2=5 Silver badge

      Re: Subhead

      Also The Cars:

      You can't go on. Thinking nothing's wrong, but now. Who's gonna dox your home. Tonight?

  2. Korev Silver badge
    Thumb Down

    In January, Hatton responsibly contacted Halfords to warn the company of the vulnerability. Sadly, his efforts were rewarded mostly by a stony silence until The Register got in touch.

    A spokesperson told us: "Halfords takes the security of our customer data very seriously.

    I'm not sure those two statements agree!

    1. chivo243 Silver badge
      Facepalm

      every company has this template now... <State_company_name> takes the security of our customer data very seriously. I can't count the number of times I've heard that phrase.

      1. DJO Silver badge

        That and "lessons have been learnt" are dependable meaningless platitudes to be rolled out at any opportunity instead of actually doing anything.

      2. ThatOne Silver badge
        Unhappy

        > "<State_company_name> takes the security of our customer data very seriously."

        It's the phrase clearly indicating they don't give a flying ...

        If they had, they would had given some meaningful statement instead of this hackneyed and meaningless stock phrase derived from "Your call is very important to us (please wait till kingdom come)". At least the original had the purpose to flatter the victim, this version is just shameless mockery considering the situation after which it is usually uttered:. "Yeah, yeah, you're very important to us - NOT!"...

    2. Dave314159ggggdffsdds Silver badge

      Missing the difference between 'our customer data' and 'our _customers'_ data' seems to be a symptom of the problem.

      1. Handlebars

        Was expecting the statement to mention 'a sophisticated attack' but maybe they realise incrementing an ID by 1 is not that sophisticated

    3. Anonymous Coward
      Anonymous Coward

      it doesn't matter that those statements agree, somewhat agree, disagree, take a piss, etc. The person (or bot) with a job to reply to media queries, replied to a media query by coping a reply to a media query copied from a reply to media query that was copied from a reply to a media query.

      What, you think I'm being flippant? Well, how else would you interpret the reply that clearly indicates you don't understand the question and / or you don't care about the question / answer and / or you don't give a flying monkey about what people think about the answer (and your company), because you're not paid enough to care. You don't care, Halfords don't care that you don't care, everybody's happy...

  3. Binraider Silver badge

    Yep, I saw some warning signs to this effect booking an MOT last Dec.

    For "unknown" reasons their booking system slapped completely the wrong address on the order. It is as well I took the car in in person or it could have been returned to completely the wrong location.

    1. Korev Silver badge
      Coat

      Looks like they'll have to write some postcode to address these problems...

      1. Jonathan Richards 1 Silver badge

        Wassat, then?

        Halfords supplies tires now?

        1,$s/tire/tyre/g

        :wq!

        Interestingly[1], searching halfords[dot]com for "tires" produces the same 8041 results as for "tyres", but not categorised into car tyres, bike tyres, etc.

        [1] For certain small non-integer values of Interesting

        1. Lon24 Silver badge

          Re: Wassat, then?

          They also supply bulbs. I needed two urgently for my motorbike and click'n'collect should have been the solution. They were in stock at, shock horror, a reasonable price.

          In order to complete the order (sorry!) you put in the registration of the vehicle. 'Invalid it came up. Sadly DVLA disagree and continue to demand road tax and MOT. You can't order what you want without a 'valid' number plate. Repeating in upper/lowercase with/without spaces to no effect. Eventually I put in a random reg of a car parked in our street.

          It worked. Apparently. Got order number and text to say the bulbs were ready to collect.

          Collecting should have been straightforward - yes? Sorry - you really don't want to hear about the connection between Halford's order system and our local branch. Thank goodness they still have dedicated humans ready to ignore it and go collect them off the shelf.

          Time to get the hardware/software up to wetware standards Halfords!

          1. R Soul

            Re: Wassat, then?

            That sets a remarkably low bar. The wetware at Hellfords is the stuff that couldn't get a job at PissyWorld or Talk Talk.

            1. Dave314159ggggdffsdds Silver badge

              Re: Wassat, then?

              Ime they're much more talented than usual for such customer service positions - at least when it comes to getting paid for doing nothing.

              1. John Brown (no body) Silver badge

                Re: Wassat, then?

                Back in the days when Halfords was a chain of much smaller shops on the high street, you could pretty much guarantee that all the people working there had a good idea about cars and engines and at least one would be a proper petrol-head. Nowadays, they are primarily "shop assistants" IME, with little practical knowledge.

            2. EnviableOne Silver badge

              Re: Wassat, then?

              Pay Peanuts get muppets...

          2. Gene Cash Silver badge

            Re: Wassat, then?

            Why the perl would you need to give them rego? What possible reason would they need it for?

            There's motorcycle sites in the states that try to be "helpful" by demanding make/model/year to make sure your non-generic part fits, but then they also have a "buy it anyway" button.

          3. John Brown (no body) Silver badge

            Re: Wassat, then?

            "In order to complete the order (sorry!) you put in the registration of the vehicle."

            Which, of course, begs the obvious question. WHY?

            Halfords most likely answer? Because!

            Clearly they have no concept of multi-vehicle ownership or doing a favour for a friend.

        2. Fred Dibnah

          Re: Wassat, then?

          No, they sell tyres.

          As an aside, content on The Register has gone full USA recently, and the interesting, off-beat, and NSFW articles have virtually disappeared. Sad.

    2. Dave314159ggggdffsdds Silver badge

      In my experience Halfords MOT shops are either criminal or incompetent in ways that just happen to generate revenue for fixing stuff that isn't broken. For example, claiming surface rust on solid (unvented) brake discs was affecting the structural integrity, etc., and that I needed to pay them >£2k to change pads and discs - but not mentioning the pinhole in the brake line which they didn't want to replace because it's a nightmare job on that car.

      I mean, they're so incompetent in non-revenue-raising ways too that I hesitate to put it down to venality. But either way it's a load of hassle you don't get at any proper mot shop.

      1. Ahab Returns

        My MOT man charges full whack £55 roughly (I forget how much it is these days - or I choose to forget) but he gets my business because he is through, honest and knows my spannering abilities. Same place for 30 years and in a five car family that's good wedge of moolah - more than I've ever spent on buying a car, that's for sure!

  4. IGotOut Silver badge

    Is this the same Halford....

    ... that ask you for your email details so they can send you a receipt of something you just bought in the shop....

    Yes, yes it is.

    Also remember folks, these details will be shared across the AA group.

    1. UCAP Silver badge

      Re: Is this the same Halford....

      I sometime use Halford to get the odd things; however I always refuse to give my e-mail address and insist on a paper receipt at the cash desk. When asked "why?" I just state that I don't trust Halford's cyber-security measures with my personal data.

      1. wolfetone Silver badge

        Re: Is this the same Halford....

        All the times I've gone to Halfrauds for anything I've never been asked why when I say no to the email.

        I have noticed on their website though that if you try to use the wildcard email thing (as in, putting + after your name on the email to fill it with any identifiable garbage to you) that while they accept it they won't send an email to it. Three times now I've been screwed out of a £5 voucher after buying oil from them.

        That said, in defence of Halfrauds, their Advanced tools are fantastic. I'll always go to Halfrauds for that, but not much else.

        1. R Soul

          Re: Is this the same Halford....

          Three times now I've been screwed out of a £5 voucher after buying oil from them.

          After they screwed you out of the voucher the first time, why did you try again? And again?

          1. wolfetone Silver badge

            Re: Is this the same Halford....

            Because Petronas Syntium is a rather good oil at a reasonable price, and every time I've needed it Halfrauds have had them at the cheapest price.

            1. TeeCee Gold badge

              Re: Is this the same Halford....

              Christ! I don't even put that stuff in my Alfa, which allegedly requires it.

              If that's a reasonable price, you must be using some new definition of the word "reasonable". HINT: If you can't find the, equally as good, Castrol Edge for half the price, you're not trying.

              1. wolfetone Silver badge

                Re: Is this the same Halford....

                Does your Alfa run long enough without breaking down to require an oil change?

                1. R Soul

                  Re: Is this the same Halford....

                  Surely Alfas rust away long before an oil change is necessarty?.

              2. rhydian

                Re: Is this the same Halford....

                "If that's a reasonable price, you must be using some new definition of the word "reasonable". HINT: If you can't find the, equally as good, Castrol Edge for half the price, you're not trying."

                From what I recall Castrol's retail oils are only available in 4 litre cans, as opposed to the 5 litre cans that everyone else sells for about the same price. The only way I can get 5ltr Castrol Magnatec 5w-30 for my Ford is to order it online from a dealer (Vospers parts, they do great value service kits)

                1. Andy The Hat Silver badge

                  Re: Is this the same Halford....

                  I bought 25l of 20/50 and 5 litres of EP90 (not at scary prices from Halfords). The runny stuff you lot are talking about isn't proper oil ... doesn't stink of cat piss for a start.

              3. Dave314159ggggdffsdds Silver badge

                Re: Is this the same Halford....

                Castrol edge is usually more expensive than Syntium ime. Generally the cheapest decent oil I've found has been Syntium on half price offer - there's always an offer on somewhere for one oil or another of that quality, which is the one I'll get, and most commonly it's been Syntium.

        2. rhydian

          Re: Is this the same Halford....

          "That said, in defence of Halfrauds, their Advanced tools are fantastic. I'll always go to Halfrauds for that, but not much else."

          The Advanced tools range is fantastic when you want something good quality enough to stand up to abuse (e.g. scaffolding tube on a spanner) but not so expensive you're afraid of losing it.

          1. Dave314159ggggdffsdds Silver badge

            Re: Is this the same Halford....

            It's also lifetime-guaranteed. At least once or twice a year they reduce it all to half price, and then it's a very good deal.

            1. Return To Sender

              Re: Is this the same Halford....

              --> It's also lifetime-guaranteed.

              Yep, and they don't piss about when you need to use the guarantee either (at least at my local store). Only ever had to replace one thing, a T40 bit socket where the shaft broke. Straight up to the store, showed the lass on the counter, 2 minutes later walking out with the replacement.

              Definitely worth watching out for the discounts, although they seem to have shifted to a paid-for loyalty scheme now to get the best discounts

    2. Ian Johnston Silver badge

      Re: Is this the same Halford....

      An oldie but a goodie:

      https://www.netfunny.com/rhf/jokes/new91/rshak.html

      1. Gene Cash Silver badge

        Re: Is this the same Halford....

        Sigh. A friend had his outside network cable cut by landscapers chopping up a tree downed in a storm. I suggested a repair kit... that I'd gotten at Radio Shack, and according to Google is now nonexistent.

        I feel so old.

  5. flayman

    A disclosure like this in the US would have landed a prosecution under CFAA

    I can't find it now, but I remember reading about a case where a customer of Comcast or Verizon reached out to them about a similar problem with an insecure API involving a sequential ID number and they were ignored. So after a responsible length of time they went public with it and were then prosecuted and actually convicted. Just ridiculous.

    1. Korev Silver badge
      Childcatcher

      Re: A disclosure like this in the US would have landed a prosecution under CFAA

      Organisations in the UK are obliged to report themselves to the ICO within 72 hours; if this wasn't done (as the article suggests) then Halfords could well end up getting slapped too.

      1. Anonymous Coward
        Anonymous Coward

        Re: A disclosure like this in the US would have landed a prosecution under CFAA

        1. COULD

        2. slapped with a fine of 11.56 (Pound sterling)

    2. Dave314159ggggdffsdds Silver badge

      Re: A disclosure like this in the US would have landed a prosecution under CFAA

      I'd have to look it up (and I cba) to be sure whether this is even a disclosable breach. People seem to have got a funny idea of what data is private, and the bar is set much higher than commonly guessed. Your name and address are not private data in general, although in some cases they can be.

      If it is a breach, it's only a very minor one. It's mot booking data, not std treatment appointments. Failing to report it appropriately would be a further breach of regs, but again a minor one.

  6. Mike 137 Silver badge

    A spokesperson told us: "Halfords takes the security of our customer data very seriously."

    So seriously that they don't pen test their public facing systems?

    However over the last couple of decades, almost no business I've consulted with has had their public presence actively pen tested. They've pretty much all relied on automated 'vulnerability scans', that of course don't find breachable logical errors like this one. I guess it's a matter of cost - that is - a short sighted view of cost.

    1. Korev Silver badge
      Pirate

      Re: A spokesperson told us: "Halfords takes the security of our customer data very seriously."

      Not short sighted at all, that manager will have moved onto their next job before the yet-to-be found vulnerability becomes an issue...

    2. Andy The Hat Silver badge

      Re: A spokesperson told us: "Halfords takes the security of our customer data very seriously."

      No - fully pen tested. It's just that the pen test doesn't check for wide open doors obscured by a "Get it here" sign lit up in pink neon ...

      1. John Brown (no body) Silver badge
        Coat

        Re: A spokesperson told us: "Halfords takes the security of our customer data very seriously."

        They do use the pen to tick the box though. So we know the pen, at least, works.

  7. andy 103
    Thumb Down

    Not their only problem

    Having placed an order with Halfords for an oil change I clicked on the link to track my order.

    I'm not sure if this is the exact same thing as the story but I saw my browser made a request to a URL where it passed my email address. I won't post the URL as I'll report it responsibly. It returned a JSON object with details of my car. The first 3 characters of the reg plate were asterisked out. But it contained details of the MOT date, make, model and colour of the car.

    There's nothing too sensitive in it but it does make me wonder if I could pass any other email address and get a response. Haven't tried it and don't want to! I'll report it anyway.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not only their problem - ?

      Haven't you seen those TV adverts offering to value your car on your phone, just enter your reg number? I wonder if the DVLA is "helping reduce Govt borrowing" by selling off everyone's details to second hand car salesmen?

      1. Anonymous Coward
        Anonymous Coward

        Re: Not only their problem - ?

        DVLA sells everyone's details to just about anyone who asks: insurance companies, tyre (not tire) and exhaust fitters, car park extortion rackets, ferry companies, etc. There doesn't appear to be any opt-out and the ICO doesn't give a shit.

        All your data are belong to us. Have a nice day.

        1. andy 103

          Re: Not only their problem - ?

          "All your data are belong to us."

          That may be so. But in this case it's exposing personally identifiable information tied to details of the car. Admittedly knowing when someone's MOT is due and being able to match that to an individual's email address is hardly the breach of the century but it's bad practice nonetheless.

          You can of course look up things like all of the data I mentioned even off the DVLA's official website only from giving a reg number. But it doesn't tell you *who* the vehicle belongs to!

        2. Martin-73 Silver badge

          Re: Not only their problem - ?

          Yep I explicitly asked the DVLA why they gave my details to a 'private parking company' and to explain what law allowed them to do this;.. 6 yrs on, and crickets

          1. ThatOne Silver badge

            Re: Not only their problem - ?

            > why they gave my details to a 'private parking company'

            Because they had to feed their orphans who are crying themselves to sleep every night in their soggy cardboard boxes in the windy cold streets... Or because of manager greed. Either is possible.

          2. Dave314159ggggdffsdds Silver badge

            Re: Not only their problem - ?

            You can easily look this up.

            https://www.gov.uk/government/publications/dvla-data-sharing-strategy

            The DVLA has a positive duty to _disclose_ vehicle registration details to anyone who makes a reasonable request. It is not private date, it's a public registry. There's no loophole, the system is working as we intend it to work.

            Next you'll be complaining the electoral role is also public data.

            1. Martin-73 Silver badge

              Re: Not only their problem - ?

              The request in this case wasn't reasonable. I had permission to be there and was thus exempt from their poking and prying. It's spilling of personally identifiable information to poorly vetted or totally UNVETTED basically criminal gangs in some cases (yes, there ARE decent responsible private parking companies but they're the exception.) If DVLA is required by law to share the data (as the link you provided seems to show, ta for that), then maybe the companies that they share it WITH should be strictly regulated by law? Just an idea

      2. General Purpose Silver badge

        Re: Not only their problem - ?

        The UK government makes the basics for any registration number freely available. https://www.gov.uk/check-vehicle-tax gives you vehicle's make and colour, year of manufacture, month of first registration, fuel type, cylinder capacity and more. https://www.check-mot.service.gov.uk gives model, plus date, mileage and pass/fail for each test. There's enough there to allow a rough valuation.

  8. Anonymous Coward
    Anonymous Coward

    Halfords IT Always a bit odd

    Halfords IT always seems odd:

    1. Trying to buy a new main beam bulb I put in my car's reg. on their in-shop system. It came up with a bulb different from the one I had just taken out. So I sought help and also dug out the handbook. The dead bulb was as listed in the handbook but the shop assistant argued. His final suggestion was that Volvo had obviously got it wrong!

    Then I remembered that a lifetime ago I had tried to sell Halfords a point-of-sale system. "It won't work because bar-coding won't take off", was a serious observation from quite a senior person.

    Halfords has passed through many owners over the year but its IT always seems a bit odd.

    1. Doctor Syntax Silver badge

      Re: Halfords IT Always a bit odd

      It may have passed through several hands but if management teams aren't replaced from time to time you'll get the nth generation of managers who kept promoting underlings in their own image.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022