£400k fine for Carphone Warehouse from the Information Commissioner
The sorry state of affairs at Carphone Warehouse simply highlights the complete lack of cyber awareness at board level.
Following the £400k fine from the Information Commissioner following the loss of over 3,000,000 personal records including credit card details – it’s actually hard to know where to begin.
The full report is given here – but to summarise just a few of the gory highlights:
- They were using a SIX year old copy of WordPress. Web facing.
- Inadequate patching despite policies being in place and no means to know otherwise.
- No pen-testing had been carried out in the 12 months leading up to the attack, despite being policy
- The SAME root password used everywhere, shared by “30-40 people”. Presumably “p455w0rd”
- The business was unaware it was retaining historic transaction and credit card data, choosing to blame a contractor who had been working there.
- Historic data included the CVC – in contravention of the PCI DSS
- No WAF or Anti-Virus was installed on any servers.
- The data was encrypted but the encryption keys stored in plaintext.
- Internal monitoring took 15 days to spot ongoing decryption and exfiltration
“Wide-ranging and Systemic”
The Commissioner explains that any one of the inadequacies found would have constituted a contravention of DPP7 (“principle 7”) – and goes on to note that the problems were wide-ranging and systemic rather single isolated gaps in an otherwise robust package.
“Unjustifiably high standards of data security”
One aspect of their defence was shocking. When the Commissioner pointed to the outdated software, inadequate patching, the absence of WAF and Anti-Virus, and then some – Carphone Warehouse submitted that in taking this view the Commissioner was imposing “unjustifiably high standards of data security by reference to industry norms at the relevant time (mid-2015)”.
Patching, Anti-Virus and a WAF an unjustifiably high standard of security?
This surely demonstrates a complete lack of interest in the security of personal information. The board were no-doubt interested in generating sales, but never stopped to consider matters of corporate governance. Interestingly CPW hired TWO forensic experts, which from my experience is normally an attempt to cherry pick the weaker arguments out of the two reports and aim for the lowest common denominator.
The Honeypot effect
Maybe it’s time to take a different view.
Carphone Warehouse got caught, but there are plenty of inadequately protected mid-to-large sized businesses to fill their shoes. Why should we be worried?
For small businesses willing to invest a little in information security, we’ve got great news. There are growing numbers of really good in-cloud and on-premise tools out there that will help to keep your business data safe. The costs for many of these services are often dis-proportionately in favour of small- and micro-businesses. Some of them are even free.
If you can deploy a few of these services, make sure you turn on all of the additional security features you already have – things like 2FA (Two-factor Authentication), keep your network patched and maybe even get your passwords in order…
…then maybe your business will slide under the exploit radar. These larger and “justifiably insecure” businesses will form a valuable honeypot – justifiably large enough to attract all the cyber interest away from you. Until they all get clobbered by GDPR.