News broke today that Carphone Warehouse has been handed a £400,000 fine after one of the company’s computer systems was compromised as a result of a cyber-attack in 2015, putting millions of people’s data at risk. IT security experts commented below.
Itsik Mantin, Director of Security Research at Imperva:
“In the modern data era where organizations store and rely more and more on data to run their business, data breaches are becoming part of the organizations’ life. In the race between hackers and cyber defenders, each of the sides has its victories, and thus another phone company getting hacked may not seem to be significant news.
What’s concerning with this story is the method used for the attack. It is one of the most common and simplest attack flows that does not require strong technical skills. It is basically, run a pentest tool to identify vulnerable points, exploit the vulnerability, install a webshell as a backdoor in the application server and from that point the way to the users’ database is very short.
With the public becoming apathetic to security breaches, the ICO gives a signal that they are not, especially when they observe such salient lack of proper security measures. This fine is also a reminder, and perhaps a wakeup call, to organizations that have PII data (and which organization doesn’t have PII these days?) that GDPR is just around the corner and choices need to be made — secure your business or lose your business.”
Nir Polak, CEO at Exabeam:
.
Ilia Kolochenko, CEO at High-Tech Bridge:
With the impending enforcement of GDPR in May, similar negligence may cost tremendously more and lead to bankruptcy of companies who fail to ensure decent level of cybersecurity and privacy.”