News broke today that Carphone Warehouse has been handed a £400,000 fine after one of the company’s computer systems was compromised as a result of a cyber-attack in 2015, putting millions of people’s data at risk. IT security experts commented below.
Itsik Mantin, Director of Security Research at Imperva:
“In the modern data era where organizations store and rely more and more on data to run their business, data breaches are becoming part of the organizations’ life. In the race between hackers and cyber defenders, each of the sides has its victories, and thus another phone company getting hacked may not seem to be significant news.
What’s concerning with this story is the method used for the attack. It is one of the most common and simplest attack flows that does not require strong technical skills. It is basically, run a pentest tool to identify vulnerable points, exploit the vulnerability, install a webshell as a backdoor in the application server and from that point the way to the users’ database is very short.
With the public becoming apathetic to security breaches, the ICO gives a signal that they are not, especially when they observe such salient lack of proper security measures. This fine is also a reminder, and perhaps a wakeup call, to organizations that have PII data (and which organization doesn’t have PII these days?) that GDPR is just around the corner and choices need to be made — secure your business or lose your business.”
Nir Polak, CEO at Exabeam:
“This incident highlights why it is essential for companies to understand exactly how individuals are interacting with the network and data. Had Carphone Warehouse had a means to monitor user activities, its incident response team could have spotted unusual use of valid credentials to access the affected databases. Profiling individual users help security teams to understand exactly who is on the network; what they are doing; whether they should be doing it; and what their actions mean for an organisation’s security posture.”
Ilia Kolochenko, CEO at High-Tech Bridge:
“Despite seeming like a relatively large fine, the amount represents a scanty £7.50 per breached record. With the records breached holding very sensitive data, the damages suffered by the victims may be much bigger, and will likely last for the next few years as attackers are likely to continuously (re)use the compromised data. Exacerbated by the alleged “systematic failures” to implement commonly accepted standards of data protection, this fine is peanuts.
With the impending enforcement of GDPR in May, similar negligence may cost tremendously more and lead to bankruptcy of companies who fail to ensure decent level of cybersecurity and privacy.”