back to article Europe's largest caravan club admits wide array of personal data potentially accessed

The Caravan and Motorhome Club (CAMC) and the experts it drafted to help clean up the mess caused by a January cyberattack still can't figure out whether members' data was stolen. According to an update shared with members late last week and now published on its website, the CAMC listed all the different types of data that …

  1. sitta_europea Silver badge

    "Data security is of paramount importance to the Club, our members, guests, and suppliers. We have taken further actions under the instruction of our cybersecurity experts to enhance the Club's cybersecurity to help prevent this type of incident from happening again."

    Yeah, yeah.

    If the first sentence were true, you'd have done the things in the second sentence before it happened, not after.

    1. PhoenixKebab

      "The organization has asked members not to make contact regarding any possible personal data security matters as it ***will be contacting affected members directly***, should the data be eventually found to be compromised."

      So they'll let people know their data has been compromised by using exactly the same contact information and other data that any phisher now holds.

      1. lukewarmdog

        in fact, as the hacker, I'd be rubbing my hands together at this point.

        The 'only' contact the club is going to have with its members is when they definitely need to do something?

        One spoofed email advising you to change your password coming up!

    2. 0laf

      Well they've hit a good few squares on "cyber incident bingo" so far and see to be aiming for the full house.

      I await for "victim of a sophisticated attack" to be announced before I'll shoute "house".

  2. tiggity Silver badge

    "The official line at the beginning was that investigators had been drafted in and there was no evidence to suggest member data was compromised, a stance that has since shifted to open up the possibility of data access. CAMC, however, reported itself to the UK's data watchdog, the Information Commissioner's Office, from the outset."

    In so many of these cases a lack of honesty & transparency from the outset.

    If in doubt, communications assume the worst case data leak scenario & warn customers ASAP

    .. If it turns out the actual result was "better" than worse case scenario, then regard that as a bonus.

    The BS of "minor incident". gradually unfolding over time to statements along the lines of "Ooh, crown jewels nabbed" gets tedious & irritates customers.

    I'm not one of the El Reg readers affected by this, just sick and tired of seeing the same old PR drivel, when customers would be better served by honesty, even if its just "we don't know how bad it is, so assume the worst until we know otherwise"

    1. Jim Willsher

      "I'm not one of the El Reg readers affected by this"

      I am, and the CAMC has been shambolic at handling this. The first we knew was the website going down (500), then they put up a holding page. It was ~6 days before they issued their first statement. They claimed they were told not to go public with an announcement, presumably in the hope that their 1M+ members (including myself) simply wouldn't notice.

      In January. When most people have a new holiday year. And are starting to book holidays. Like we were trying to.

    2. Anonymous Coward
      Anonymous Coward

      Having been sat on the inside of a couple of incidents, IT are usually the ones pushing for transparency, PR just do as told and its Legal and Insurers that cause the problems with doing so.

  3. spold Silver badge

    On the upside

    Thousands of hacked companies can now breathe a bit easier as their exfiltrated data is now stuck in a long line of traffic to the dark web behind all this stuff.

    1. Anonymous Coward
      Anonymous Coward

      Re: On the upside

      Yes, but it will have impact as now people will know who owns one..


  4. spold Silver badge

    More of the same...

    ""I would like to offer my sincere apologies for any inconvenience this has caused, and thank you for your continuing patience as we return to normality,"

    That's what they say every bank holiday,

  5. abend0c4

    CAMC ... offers a variety of insurance policies

    Hope they remembered to cover themselves against IT risks.

  6. Stuart Castle Silver badge

    The problem is, even if you have the best security systems on earth, there can still be flaws in the system that expose your data to a skilful hacker (or even a trojan written by a skilful hacker). Even if there aren't, all they need is an operator with a weak password or that falls for a phishing attempt. If that operator is an admin, then that is better for them.

    The problem is that ideally, all companies handling any kind of data they don't want in the open, should have secure and up to date tech (this includes all software and devices that the data might be stored on, accessed by or travel through) that is thoroughly locked down, and regularly security tested. All staff that have any access to the data should receive proper training on keeping that data securie, including anti phishing training, and should be regularly (and anonymously) tested.

    I should note that even the most skeptical, security minded people *can* be fooled into falling for scams.

    That's the ideal world, from a security point of view. We work in the real world. What is ideal is often costly and inconvenient, so tends to get forgotten.

    1. Mike 137 Silver badge

      "including anti phishing training"

      Training alone is insufficient as regardless of how intensively you train, front line staff remain non-expert in detecting phishing attempts (which requires both technical understanding and investigative action in each case). There are, however, technical fixes that can make a huge difference (e.g. stripping the clickable element from URLs in emails from outside the enterprise). That's rather obvious, isn't it, but hardly any organisation seems to do it.

  7. Anonymous Coward
    Anonymous Coward

    Caravan owners are a resilient lot

    They are caravan owners after all.

    After towing a great hulking toilet-on-wheels and camping in a soggy mosquito-ridden field, they are up for anything!

  8. Missing Semicolon Silver badge

    Nobody to sue

    Since you can't necessarily prove where the scammer got your details, you can't empy the accounts of their liability insurers.

  9. Anonymous Coward
    Anonymous Coward

    Horse...Stable Door...Lamentations.....

    .....we've heard it all before.

    But we never hear about the C-level management going to know....asleep at the wheel....millions in bonuses....

  10. NerryTutkins

    Most caravaners are into dogging anyway, so pretty sure privacy isn't top of their agenda.

  11. spireite Silver badge

    Updates due...

    .....sometime in the awning.

    If they want to attract business going forward, it'll need one hell of a pitch.

    Have they pegged the access and damage?

    How they address this will determine the Calor of their P&L line

    Hopefully a Swift resolution.

    Finding the perpetrators will be like trying to find Elddis.

  12. zaax

    Why do they store people birth dates, and what processing do they do with it?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like