Experts from Tripwire, HP Security Voltage, Lieberman Software, Proofpoint, Blancco Technology Group and Wynyard Group have commented on latest news that Carphone Warehouse was hacked and the personal details of 2.4 million customers may have been accessed. Up to 90,000 customers may also have had their encrypted credit card details accessed.
Tim Erlin, Director of IT Security and Risk Strategy, Tripwire :
“Unlike some of the other retail breaches of late, this one was discovered internally by Carphone Warehouse, and disclosed publically only a few days after discovery. That’s an improvement over breaches that were discovered through credit card fraud and kept undisclosed for longer periods of time.
It appears that 90,000 of the 2.4 million affected customers may have had their credit card data accessed, though it was encrypted. The limited number of credit cards affected should also limit the impact of the breach itself.”
Mark Bower, Global Director, Product Management, HP Security Voltage :
“It’s a clear signal that contemporary data encryption and tokenization for all sensitive fields, not disk or column level encryption for credit cards, is necessary to thwart advanced attacks that scrape sensitive data from memory, data in use, as well as storage and transmission.
Disk encryption protects data at rest but it’s an all or nothing approach that leaves exploitable gaps: applications needing data have to decrypt it every time. Yet advanced attacks steal data in use and in motion.
Another problem is that while firms may focus on credit card data to meet basic PCI compliance, attackers will steal any sensitive data like account data, contact information and so on as they can repurpose it for theft. There are effective defenses to this. Today’s new-breed of encryption and tokenization techniques can render data itself useless to attackers, yet functional to business needs. These technologies included Format-Preserving Encryption which has been proven in leading banks, retailers and payment processors who are constantly bombarded and probed by attackers. By securing customer and card data from capture over the data’s journey through stores, branches, databases and analytic systems, businesses can avoid unnecessary decryption required by older generation disk or database encryption techniques. Data can stay protected in use, at rest, and in motion, and stays secure even if stolen.
Modern vetted and peer reviewed data encryption is infeasible to break on any realistic basis. It’s a win-win for business, as it can be retrofitted to existing systems without complications and business change. Attackers who steal useless data they can’t monetize quickly move on to other targets.”
Philip Lieberman, President, Lieberman Software :
“This is an excellent example of where the CEO of the company, Sebastian James, now needs to step in and evaluate whether his leadership of his information technology department yielded what he and his board of directors view as an acceptable loss.
The CEO’s role today must be as the commander in chief of cyber-defense, rather than simply complying with the minimal requirements of auditors. The CEO should consider a review of their existing security technologies and processes in place to minimize these losses in the future.
Many companies are being hit with these types of attacks and only the CEO can provide the leadership and investments necessary to mitigate these types of bad outcomes. We would strongly suggest that the CEO and Board of Directors reevaluate their security vendor choices and internal processes going forward.
As we can all see, perimeter protections failed and leadership needs to come to a hard realization that their interior protections were inadequate for today’s modern attacks. Appropriate privileged identity management (PIM) solutions coupled with hygienic automated management of identities might have reduced this intrusion to a non-event.
Better solutions and processes exist that would have mitigated these types of losses, but perhaps leadership was listening to the wrong advisors on technology and cyber-defense. These types of attacks should be anticipated and proper processes should be in place to minimize their consequences so as to not affect most customers.”
Kevin Epstein, VP, Advanced Security and Governance at Proofpoint :
What are the risks for customers?
“Any time key elements of identity, such as date of birth, address, bank information and/or credit card details are stolen, the impacted consumers are at risk of identity theft or direct financial attack. Corporations are also placed at further risk, as such information may be used to target strategic employees to gain access to additional institutions, often via Phishing. This attack reemphasizes the need for all organizations to preemptively invest in targeted attack protection and threat response systems”
Is it likely that the number of people found to be affected will go up?
“Post-attack assessment of impacted systems and customers is always challenging; while modern targeted attack protection and threat response systems can enable a much more precise estimate of the impact, it’s likely that full investigation and disclosure will take weeks to months more to complete”
Tips for what customers should do?
“In the short-term, consumers can take immediate defensive actions by placing a ‘fraud lock’ or ‘credit freeze’ on their credit records; that would mitigate the financial aspects of identity theft. In the longer term, customers and employees should urge all organizations to preemptively invest in targeted attack protection and threat response systems”
Other thoughts?
“Notification of impacted consumers and sponsorship of appropriate protection is a clear priority. Cyberattacks’ most expensive aspect isn’t cleanup; it’s brand damage. Restoring consumer confidence is paramount. To that end, subsequent disclosure of the attack source and implementation of new, modern targeted attack protection and threat response systems to prevent recurrence are also good steps to take, quickly.”
Pat Clawson, CEO of Blancco Technology Group :
“The cyber-attack on several of Carphone Warehouse’s websites is a glaring reminder of the vulnerability of customer data in a world where there’s no shortage of data and cybercrime has become a daily reality. What’s most troubling, however, is how vague the company was in describing the nature of the breach – calling it a “sophisticated cyber-attack.” There’s no indication of how the attack occurred or where the vulnerability within the company’s IT infrastructure was.
Was the security breach a malicious attack by someone on the inside? How is data monitored by the company? Does the company use any software to permanently erase data from all of its servers, networks, hard drives, virtual environments and devices? Or does it rely on simple deletion-command programs? These are all questions that Carphone Warehouse should be asking right now and looking at how it can learn from its mistakes down the road. In the next few days, the company needs to be as transparent and humble about acknowledging its mistakes and the actual root cause of the attack itself. That’s the only way the 90,000 customers who were affected will be willing to stay on as loyal customers.”
Paul Stokes, COO of Wynyard Group :
“This attack is another warning that even the largest and most complex systems can be exposed to cyber breaches. Businesses need to wake up to the fact that cyber-criminals’ sophisticated practices have rendered traditional perimeter defences, including proxy, firewall, VPN, antivirus and malware tools, inadequate to protect against attacks. To effectively protect themselves against this type of breach in the future, businesses need to adopt a new approach to cyber security – one that takes advantage of big data and smart algorithms to allow them to detect small anomalies before they become big problems.
“With mathematical machine learning and anomaly-detection capability, new information-driven cyber intelligence tools are designed to allow businesses to identify previously unknown, security-relevant patterns in an ongoing and timely manner. This helps businesses identify high-risk cyber threats and vulnerable areas early on in order to manage them more effectively.”
