What is it with online card companies and crap InfoSec?
Moonpig had it's issues too.
British retailer WH Smith has confirmed that Funky Pigeon, its online greetings card and gift subsidiary, has halted all further orders after a "security incident." The company's social media feeds told customers late last week that "technical issues" were delaying new business being processed. Today London Stock Exchange- …
Translation: "Oh sh*t, we got caught out"
This statement never convinces anybody, so why does every business trot it out after a data breach? Maybe due to the same disconnect from reality that allowed the breach to occur in the first place.
why does every business trot it out
It's like the infamous "remorse" statement in alleged British Justice: "My client pleads guilty to attacking 27 people Your Honour, but has demonstrated remorse".
Absolute b0ll0cks of course, but it's an expected thing now.
Whatever man can make, man can break.
I think most places do take customer data security seriously. But anyone can be caught out. One exploited zero day, one idiot user clicking the wrong thing, one incompetent developer, one greedy\disgruntled\vengeful insider, that's all it takes. If it's online, someone determined will find a way to breach the defenses.
PR Checklist
"We take the security of customer data extremely seriously" Check.
"[We are] currently investigating the detail of the incident with external IT specialists." Check
"No customer payment data ... has been placed at risk." Check.
"[We are] currently investigating the extent to which customers' personal details ... were accessed." Check.
Yet to come "we have discovered a limited number of accounts had their personal data compromised."
Finally "We have identified a limited number of accounts whose payment data was compromised."
There are a lot of negative comments which I feel are slightly unfair. I've never used Funky Pigeon, and forget the last time I went into a WHSmith, but in today's world it's generally recognised as a case of 'when' not 'if' a company is going to suffer some form of a cyber incident. Without knowing the facts, as an Info Sec manager for a retailer, I can only watch with sympathy from the sidelines as another company falls victim with the negative publicity that ensues. However much is invested in cyber security, this could happen to any company as is proven each time there's a headline like this.
With regards to their PR template, they're damned if they do, damned if they don't say something. They'd be equally criticised if they didn't roll out the standard "customers' data is important to us..." and said nothing.