The usual shrieking headlines this week when Dixons Carphone announced that it has been the victim of a major data breach which has been going on for over a year and has exposed the details of 5.9 million users’ card and personal details.
Somewhat worryingly, the company said this:
The data accessed in respect of these cards contains neither PIN codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made. Approximately 105,000 non-EU issued payment cards which do not have chip and PIN protection have been compromised.
Well that’s ok then, chip, pin and cvv to the rescue. Not to worry that since this has been going on for over a year all of the other details will no doubt have made it to the dark web (mwahahaha) and are swimming in the gargantuan datalake of personal details waiting to be abused by criminals major or minor.
You will recall that this outfit has form when it comes to breaches. Carphone Warehouse was fined £400,000 for a breach in 2015 as were TalkTalk (Carphone’s former telecoms business) for a breach in the same year.
Let’s hope for the employees’ sake that this breach does not stretch over May the 25th 2018 and is therefore not subject to the eye-watering fines under GDPR legislation.
Matthew Vincent of the FT makes a very good point. Currys PC World stores have a ‘KnowHow desk’ with the tagline “We believe that everyone has the right to expert help for all technology”. Perhaps the IT and Cyber management should book themselves an appointment.
With news of profit warnings and intense competition from online retailers, and given that this is a merger of three businesses, we would be happy to put a bet on the fact that this breach will be found to have something to do with ‘legacy’ or as we have heard it called recently ‘heritage’ IT.
If we are going to start calling old tech ‘heritage’, we should have a grading system – like buildings shouldn’t we?
Grade 1 listed – This is an old machine made by Sun Microsystems or something more exotic like a Sperry UNIVAC or even a dear old VAX. It has been powered on since the dawn of time. Problem is, nobody knows what it does, the non- standard keyboard has been lost and the screen doesn’t work.
Grade 2 listed – This is an old Compaq server with ESDI drives. It is running Novell Netware and is named after one of the characters in The Lord Of The Rings. Dave administered it. Dave died in 1994.
Grade 3 listed – The new kid in town, this is a Virtual Machine, possibly in ‘The Cloud’. Trouble is nobody knows where it is. The credentials for the subscription went missing at the same time as hot-desking was introduced.
You get the idea.
Security controls are extremely difficult to implement in these environments. Drastic action may need to be taken to avoid a car crash. A good place to start would be with a thorough cyber review. The good news is that we have a crack team of cyber experts who have a proven strategy and process to do just that. Contact them at: firstname.lastname@example.org or call 020 7517 3900.
Exciting news just in. Telfonica and Huawei, working with Universidad Politécnica de Madrid (UPM) have developed what seems to be a viable quantum cryptography solution over standard fibre optics. Extra exciting for us because quantum cryptography was one of our predictions for the year made at our Safe and Secure event. Smug? A bit.