Your customer details...
The new Gold, better than gold!
That's how many in the past two months? Some people have been really, really busy..
Carphone Warehouse has taken three days to go public about a serious data breach affecting nearly 2.5 million customers – with the confession that up to 90,000 subscribers may have had their credit card info ransacked. The company said on Saturday afternoon that it had first discovered its systems had been violated by a " …
I voluntarily give Microsoft my details each year. I sign many agreements with my name, address and other details, I also sign electronic agreements with my info too. I get sent one email per year from them, I have never had an unsolicited email, phone call or snail mail from them.
So Carphone Warehouse get hacked. Its always a sophisticated hack because they can't admit their security is utter shite, I'm surprised they don't claim they were hacked by a Nation State to try and shift the blame elsewhere.
They then compound their stupidity by telling the customer its their responsibility to sort out issues. What a bunch of utter clueless fuckwits. I'm pleased I pay for all my PAYG with cash as I need it.
Epic fail.
So obviously not our fault. What could we do? So no compensation for all the inconvenience changing CC details, passwords, pins and ongoing identity theft risk, because, well, how could we ever be expected to defend ourselves against an attack as sophisticated as that.
Yeah, right. Funny how *all* these attacks are sophisticated.
Had to downvote your post about downvotes because, well, thats generally what happens around these parts. There's been many a time I've started to write a rant about downvotes on my posts, even on posts that contain simple undeniable facts rather than opinions, but then thought better of it. Its best just to ignore them.
"The usual waffle about announcing a breach and then saying your security is important to us."
I have a lot of important things on my To-Do list as well... doesn't mean that I will tackle them any time soon, since there are different shades of importance, and then there's priorities, and meetings about priorities and backlogs with lots of important things... Sounds familiar, Carphone Warehouse?
Are there any recognised qualifications that I could try for to prove that I have been trained to a suitable level in the design of secure computing systems? Something like the Microsoft Certified Professional programmes.
It seems to me that the industry should start insisting on such things. Recently I've been looking at a lot of job adverts, but haven't seen any requiring knowledge of IT security.
Are there any recognised qualifications that I could try for to prove that I have been trained to a suitable level in the design of secure computing systems?
Lots and they are about as effective as an MCP.
Recently I've been looking at a lot of job adverts, but haven't seen any requiring knowledge of IT security.
If you look for IT Security jobs you will see this.You really will.
There are dozens and dozens of IT security certification schemes and training courses. It is very much courses for horses, and everyone will have an opinion as to which are good and which are crap. The SANS courses are generally very, very well regarded but they arent for everyone.
I'm not looking for an IT security job, its more that all IT jobs should have a proven competency in IT security as an absolute requirement. Sadly they don't. Until then such SNAFUs will keep on happening. I do take your point about SANS, but I am thinking more along the lines of something like an NVQ in IT security as being a minimum for all IT professionals.
"its more that all IT jobs should have a proven competency in IT security as an absolute requirement" -- Swiss Anton
IT jobs don't even require proven competency in IT, let alone the subcategory of security. With a degree in genetics and a PhD in biochemistry this suits me, although it staggers me that after a few hours reading code in a language I didn't know before, I can spot huge errors (by which I mean ones that are simultaneously trivial and massive) committed by soi disant software 'engineers' or even 'architects', more often than not with the hideously undeserved prefix of 'senior' or even 'principal'.
The problem is always (upper) management. They are the ones who tell HR to hire from the very bottom of the barrel; the ones that feel almost any form of testing is a waste of budget; and the ones who, time and time again, emerge absolutely scot-free, shrugging off any consequences, either direct (fines or jail time) or indirect (damage to their careers).
Although it would be nice to think this is a problem that could be approached from the bottom, with certification, professional bodies and meaningful qualifications, after a few decades in the industry I am more and more convinced that it can only be solved top-down. It should not be acceptable for CEOs to issue, via their spokestards, meaningless apologies referring to utterly unsubstantiated 'sophistication'; notifying the authorities too late ('because we wanted to establish the scale of the breech') and transferring all responsibility for cleaning up the mess onto the victims themselves.
The Data Protection Act requires that: "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
Failure to comply can lead to fines for the company and the company directors.
So if CW cannot demonstrate that the technical and organisational measures they had in place were "appropriate" [in the light of increasing prevalence of cyber attacks] then both the company and its directors may be liable for HEFTY FINES.
I'm not looking for an IT security job, its more that all IT jobs should have a proven competency in IT security as an absolute requirement. Sadly they don't. Until then such SNAFUs will keep on happening.
You could have every member of your IT staff trained and qualified in IT Security, but if your beancounters and middle management don't have an appreciation of the need for security, it ain't going to be implemented correctly.
Yes (if you must get certified) ...
SSCP for techies
CISSP for architects, managers and techies
They are comprehensive on the best practices... Just reading a CISSP or SSCP study guide and applying the detail would be a good start.
There are also good best practice guides from SANS and OWASP.
Don't get hung up on cyber security job titles though .. my job entails security engineer, analyst and architect roles but I've been too busy over the last 20 years to get certified.
>Are there any recognised qualifications that I could try for to prove that I have been trained to a suitable level in the design of secure computing systems? Something like the Microsoft Certified Professional programmes.
You forgot the Joke icon, my friend. MCP, MCSE, or MCSD, to anybody knowlegeable in Casio or Texas Instruments calculators or more advanced IT systems means window and surface specialist, good with vacuum cleaners and mops, not to be allowed near anything digital.
When you sign up for a contract, they usually ask for your bank account details for the direct debit for your monthly payment, and they also ask for your credit card details. If there is any up-front charge, they normally charge this to a credit card. If there isn't, they normally make a tiny charge (1p, sometimes) to the credit card as a form of identity verification. (Credit card companies don't like this practice, but it still happens fairly often).
Carphone Warehouse have bought many other businesses over the years. This includes a number of web based mobile phone dealers - e2save, mobiles.co.uk and onestopphoneshop. They have typically kept these brands alive as separate brands. If you go to their websites, it is not obvious that they are Carphone Warehouse unless you read the small print (although if you actually buy a contract from them, they then become open about it after you have signed up). The prices on these websites are usually better than those on Carphone's own branded website or in their store, so I have bought phone contracts that way. I haven't yet received an e-mail from them telling me that they have lost my data, but maybe I will.
What it seems is that Carphone have not fully (or possibly at all) integrated their customer records from all the businesses that they have bought. Probably their systems are a horrible ad-hoc mess of incompatible systems nastily stitched together. Security practices are probably inconsistent and of varying quality. They have therefore had some customer records compromised and not others, and they took three days figuring out precisely which.
...and within the next week or so there'll be another article about how we all use/re-use bad passwords. As if that will make any difference. I try to make an effort with passwords for any site I give my credit card/personal details to, but clearly I might as all well use "password" for all the good it'll do.
Am I missing the point but having signed up to a contract last year (2 year contract) where the direct debit is set up and charged via the service provider (CPW work on commission) - why are they storing my details used at the point of initiating the contract that should no longer be needed?
If they did not have them (as no longer required) would that not limit everyone's risk? and doesn't the data protection act say something along the lines of not storing data beyond its requirement?
To top it off their resolution is solely to say email a sorry letter inferring the clients pick up the bill on time, effort and payment to other companies that may be incurred for their failure (minimum should be signing up those breached to on going free credit checks for a certain period of time).
But...
If they did not have them (as no longer required) would that not limit everyone's risk? and doesn't the data protection act say something along the lines of not storing data beyond its requirement?
The other bits of HMG that are not subject to that law (MI5/MI6/CGHQ etc) will demand that those records are kept for at least 10 years. Can't have the plebs laundering a few squid now can we eh? Gotta keep track of everyone just in case they start supporting IS etc etc etc
Then there is the Taxman (cometh). They are a whole different Kettle (EU Size approved naturally) of Fish.
So do you really want to be the person who deletes some possible vital (in the eyes of somene else) bit of data?
"The other bits of HMG that are not subject to that law (MI5/MI6/CGHQ etc) will demand that those records are kept for at least 10 years."
Simple solution: CW copy all the records that they no longer need onto a USB stick, delete the records from their own systems, and give the stick to the spooks. Any subsequent breaches of those records can be blamed on GCHQ.
But yeah, the spooks aren't actually *helping* the nation's IT security if they force commercial entities to retain records long after they have any value to the commercial entity that is paying for the storage.
Utterly rubbish. Why should I have to pay for credit and security checks/alerts with people like Experian because Dixons Carphone can't be bothered to do security properly themselves?
I got the email about my credit card details being compromised as a Mobiles.co.uk customer even though I got a contract with o2 through them over 6 months ago and I pay o2 directly. Why have they held my card details??
Obviously cannot and should not be trusted.
You shouldn't - if they were genuinely interested in their negligence and in showing good faith they would have already contacted the likes of Experian and negotiated a deal to cover all those to be able to check for a period of time (I vaguely remember Worcester City Council losing personal data and covering those impacted for 2 years along with enrolment into other monitoring schemes)
By the email advising they are limiting their liabilities, placing the onus on you whilst knowing only a few will run the gauntlet on the financial lose accrued in following their guidance due to their issue i.e. £90 x 1000 customers not giving up the blockers in pursuing financial loss is a lot less than 2.4 million customers x £5 (p.s. I am speculating this is how they will look at it - the £90 is 6 months Experian cover - the £5 is a complete guess but would be surprised if they could not get it below that).
AFAICT this is TalkTalk helpdesk's response to their customers who signed up via Carphone Warehouse. So it's not difficult to envisage the situation that TT encrypt (?hash) customer passwords at their end but CW don't leading to a situation where only some TT customers, those from CW, have unencrypted passwords floating about and the rest don't.
Not being a customer of either I'm not sure about processes here but does this imply that the same password is being passed between the companies?
Looking forward to finding out why they still have my details on record 2 years after ordering a contract. They is 0 reason for my bank details to be stored for that long and shows a serious lack of thought about security. I am also looking forward to them sucking it up and ensuring everyone's banks are contacted on their behalf and free fraud monitoring services for all former customers. You can bet I am a former customer by the way.
This post has been deleted by its author
Until someone makes the fuck-tards at the top responsible for the security of the data they are supposed to be protecting things will rarely change.
I know for a fact that senior management regard IT and especially IT security as nothing but a money pit, and they WILL cut every penny or refuse to invest the money required to ensure that customer data is secure. I am going through this yet again now - all in the name of making things 'simpler', which in actual fact is really making things less secure.
... and we have done ever since Wednesday.
WHY are they allowed to say this without journalists laughing in their faces? It's no different to being pulled over by the cops for doing 60 in a 30 limit and telling them earnestly "I always drive very carefully."
I also love the way on the TV news this morning they said "The attack was detected --- and stopped --- on Wednesday" STOPPED? Do me a favour; are we supposed to imagine a plucky CW IT security bod stopping an ominously moving progress bar by rapidly entering keystrokes at a command line, resulting in a whole screen blinking message "ATTACK STOPPED AT 10%". LIES LIES LIES.
Finally, If it turns out the attack wasn't really that 'sophisticated', any organisation responding with a claim that it was should have their punishment automatically increased for LYING. Not telling the ICO straight away because "we wanted to assess the size of the breach" ALSO LYING. This last lie is so bad that it should warrant an additional fine big enough to seriously damage the long term viability of any company that uses it.
"Finally, If it turns out the attack wasn't really that 'sophisticated', any organisation responding with a claim that it was should have their punishment automatically increased for LYING."
Mechanisms do exist for that. If customers notify their banks (and yes, I agree it shouldn't be their job) then the losses will be carried by the banks. These banks *ought* therefore to turn round to CW and say "Your fees for next year (and beyond) will be significantly higher because you are demonstrably shit and costing us a good deal more than simply transaction costs."
Whether the banks can be bothered, however, is another matter. I expect the costs will simply be passed on until they hit someone who can't pass them on further. That would be you and me.
Why on earth does a mobile phone company need your Date of Birth? The first rule of security is never to share passwords, and the second is never to to use a password that can be easily found out or guessed.
Yet the standard security questions used by almost all organisations are Date of Birth and Mother's Maiden Name. Disclose those to one and you've effectively let them hack in to all your accounts everywhere.
I've done business with this bit of CPW. They are cheap. I have received customer service and sales calls from them on occasion, though, in which they have called me, have attempted to sell me an upgrade, I have said yes, and then they have asked me for my address, date of birth, mother's maiden name etc in order that I identify myself. I have refused, on the basis that I don't give personal information to people who have called me, although I might when I have called them. They have then been mystified as to why the two cases might be different. This is not inspiring.
Is there a graph somewhere I don't know about which shows how good an attack was versus how good the security on a site was?
Or a sliding scale maybe starting off with brute force on the left with 0 day attacks on the right?
I have no idea how they get actually measured. Is there not an el reg measuring tool? Like half an opm based purely on the numbers used and the probability of it being a nation state sponsored attack?
Sure there was a data breach with lots of personal information stolen but "... with the confession that up to 90,000 subscribers may have had their credit card info ransacked.... Encrypted credit card data of up to 90,000 customers may have been lifted by malefactors... ".
Whoa... did they nick the crypto keys too?? If not then it's useless to them, right? This piece of journalism is too sensationalist and obviously wrong. El Reg, you should know better.
I really dont get how in todays world, where it is not IF you get attacked but WHEN you get attacked; these companies are still refusing to invest in post breach tech and forensics!
Seriously... whatever happened to being accountable? whatever happened to business reputation damage limitation? Whatever happened to protecting your most valuable assets... Your bloody customers!!!
There is no excuse for sloppy security. There is enough tech out there now to investigate an attack as it happens, see what happened 10 minutes before, 10 minutes after AND know exactly what was taken.
Its just lazy and arrogant not to protect your IP and customers. I hope millions walk from their shocking service. Much better than any fine imposed.
Could someone who has received one of these "We may have leaked some of your details. Our screwup, your problem" emails send Carphone Warehouse a subject access request to find out exactly what information they hold on you? If they send you back your own unencrypted password and credit card details then you know you have to worry.
https://ico.org.uk/for-the-public/personal-information/
So,,,, this just news-fodder for the media or was this a serious data breach/theft?
If all that was stolen were encrypted card details then thats as much use to criminals as an igloo in Australia....
I will admit that having details stolen due to a breach is embarrassing but thats why important data encrypted in the first place!
What gives? Are CFW not telling us something? Encrypted data isn't any use to anyone unless they have the means to decrypt it, why didnt they announce that whilst data was taken it was safe and inaccessible and therefore 'no need to panic'....or was it the media that failed to mention that...?
From the scant details we've been given by the press it looks like the thieves got away with a lot of personal data, which is obviously bad, but the cardholder data was encrypted, so no big deal. I agree with you, that bit of the story should be held up as a good news story. They complied with PCI DSS and others.
After these events are published a ruck of smug smart 4rses comment on how they company that was attacked is to blame. If a thief breaks into a petrol station we don't pillory the station for not having an armed SWAT team available instead of relying on a burglar alarm!! In InfoSec cases we seem to glorify the hacker and castigate the victim. They and other companies are having to pay ridiculous amounts of money to stop these thieves from breaking in and stealing stuff. There's something not quite right there. Let's start referring them to thieves instead of hackers and maybe that will help change perspective.