Europe's largest caravan club admits wide array of personal data potentially accessed The Caravan and Motorhome Club (CAMC) and the experts it drafted to help clean up the mess caused by a January cyberattack still can't figure out whether members' data was stolen. According to an update shared with members late last week and now published on its website, the CAMC listed all the different types of data that …
"Data security is of paramount importance to the Club, our members, guests, and suppliers. We have taken further actions under the instruction of our cybersecurity experts to enhance the Club's cybersecurity to help prevent this type of incident from happening again."
Yeah, yeah.
If the first sentence were true, you'd have done the things in the second sentence before it happened, not after.
"The organization has asked members not to make contact regarding any possible personal data security matters as it ***will be contacting affected members directly***, should the data be eventually found to be compromised."
So they'll let people know their data has been compromised by using exactly the same contact information and other data that any phisher now holds.
"The official line at the beginning was that investigators had been drafted in and there was no evidence to suggest member data was compromised, a stance that has since shifted to open up the possibility of data access. CAMC, however, reported itself to the UK's data watchdog, the Information Commissioner's Office, from the outset."
In so many of these cases a lack of honesty & transparency from the outset.
If in doubt, communications assume the worst case data leak scenario & warn customers ASAP
.. If it turns out the actual result was "better" than worse case scenario, then regard that as a bonus.
The BS of "minor incident". gradually unfolding over time to statements along the lines of "Ooh, crown jewels nabbed" gets tedious & irritates customers.
I'm not one of the El Reg readers affected by this, just sick and tired of seeing the same old PR drivel, when customers would be better served by honesty, even if its just "we don't know how bad it is, so assume the worst until we know otherwise"
"I'm not one of the El Reg readers affected by this"
I am, and the CAMC has been shambolic at handling this. The first we knew was the website going down (500), then they put up a holding page. It was ~6 days before they issued their first statement. They claimed they were told not to go public with an announcement, presumably in the hope that their 1M+ members (including myself) simply wouldn't notice.
In January. When most people have a new holiday year. And are starting to book holidays. Like we were trying to.
The problem is, even if you have the best security systems on earth, there can still be flaws in the system that expose your data to a skilful hacker (or even a trojan written by a skilful hacker). Even if there aren't, all they need is an operator with a weak password or that falls for a phishing attempt. If that operator is an admin, then that is better for them.
The problem is that ideally, all companies handling any kind of data they don't want in the open, should have secure and up to date tech (this includes all software and devices that the data might be stored on, accessed by or travel through) that is thoroughly locked down, and regularly security tested. All staff that have any access to the data should receive proper training on keeping that data securie, including anti phishing training, and should be regularly (and anonymously) tested.
I should note that even the most skeptical, security minded people *can* be fooled into falling for scams.
That's the ideal world, from a security point of view. We work in the real world. What is ideal is often costly and inconvenient, so tends to get forgotten.
Training alone is insufficient as regardless of how intensively you train, front line staff remain non-expert in detecting phishing attempts (which requires both technical understanding and investigative action in each case). There are, however, technical fixes that can make a huge difference (e.g. stripping the clickable element from URLs in emails from outside the enterprise). That's rather obvious, isn't it, but hardly any organisation seems to do it.
.....sometime in the awning.
If they want to attract business going forward, it'll need one hell of a pitch.
Have they pegged the access and damage?
How they address this will determine the Calor of their P&L line
Hopefully a Swift resolution.
Finding the perpetrators will be like trying to find Elddis.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
