British retailer Kiddicare has suffered a data breach in which the personal details of nearly 800,000 customers have been stolen. The company said that the data had been taken from a version of its website that had been set up for testing purposes at the end of 2015. Customers have reported suspicious text messages that have not been sent by Kiddicare, suggesting that the hackers are using the personal details for targeted scams. Here to comment on this news are security experts from QA, Blancco Technology Group and WhiteHat Security.
Richard Beck, Head of Cyber Security, QA:
“In security circles we talk a lot about the insider threat – where either through malicious intent or genuine mistake, the actions of an individual exposes their employee to a cyber security problem. It’s an increasingly serious challenge, as highlighted by a recent study by ISACA and the RSA Conference, which found that four in ten organisations have experienced insider damage at least quarterly in 2015. It’s not clear in the Kiddicare incident whether the breach was caused by human error or deliberate intent but it does underline that organisations need to be vigilant in two areas. First, set clear IT security policies for their staff to follow. Second, ensure that staff are adequately trained to understand the importance of and adhere to, the security policies they have been given.”
Pat Clawson, CEO, Blancco Technology Group:
“First of all Kiddicare should be commended for reporting itself to the UK’s Information Commissioner and directly contacting the customers that may have been affected. The firm has acknowledged its mistake, taken responsibility and learned the lessons. This is in stark contrast to the children’s toy manufacturer Vtech, who in the same circumstances chose to put the burden of responsibility on its users.
However, it is still deeply concerning that real customer data was left vulnerable on a Kiddicare ‘test’ website it had been experimenting with over 6 months ago. If Kiddicare had a responsible data lifecycle plan in place, it would have permanently erased all of this data when the testing was complete. Data erasure is one small but very important piece of the data security puzzle when it comes to preventing a data breach, as many companies are discovering the serious consequences and costs to themselves and their customers.”
Johnathan Kuskos, Manager, Threat Research Centre at WhiteHat Security:
“This data breach is the result of an overly cavalier attitude towards client data and not practicing development with security as a forethought. Kiddicare really has been foolish in using its customers’ actual personal data on a test website. A smarter approach would have been to generate dummy data that fits each of the required fields, so that even if a malicious party did manage to find a vulnerability, the data they could have stolen would be worthless. Perhaps the most important question for the Kiddicare IT team is why was this “test” website publicly accessible in the first place?”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.