Dixon’s Carphone Data Breach

1118

News broke this morning that electronics retailer Dixons have suffered a data breach which has affected the customer cards of 5.9 million people, and the personal records of 1.2 million. IT security experts commented below.

Lee Munson, Security Researcher at Comparitech.com:

“The breach at Dixons Carphone highlights, yet again, how common attempts at exfiltrating personal data and payment card information have become.

What is worrying here is the delay between the breach occurring last year and the disclosure today. Whether or not that was down to the company not being aware until now is unclear. Thankfully, under GDPR, non-disclosure for business reasons is no longer possible as the ICO must be informed within 72 hours whenever possible.

Whatever the case, a breach of this size is likely to affect Dixons Carphone at a time when it is ill-prepared for the consequences. Typically, a business will see its share price fall on the back of a breach before recovering in the longer-term. In this instance, the fragility of the company may mean that the short-term dip will prove to be fatal.

Of more concern is the affect this could have on the chain’s customers, millions of whom have had their personal or payment card information leaked.

Dixons Carphone says there is no evidence of fraudulent payments being made with the stolen cards but affected customers would be well advised to keep an eye on their bank and credit card statements in case of rogue payments being taken.

Where personal information has been swiped, victims should be doing the same while also keeping a keen eye on their credit reports, in case of identity theft.”

Paul German, CEO at Certes Networks:

“Despite the well publicised Target data breach, it seems that other retailers are still not adopting appropriate cybersecurity strategies. As a multinational organisation, Dixon’s Carphone would have been well aware of the Target breach but didn’t take action to protect themselves against the exact same compromise where credit card data was targeted.

When it comes to cybersecurity, every organisation should assume that a data breach will happen at some point and therefore take steps to mitigate the associated damage and fallout. Dixon’s Carphone should have adopted a software-defined approach to cyber-security, which would divide the infrastructure up into smaller manageable sections, creating a reduced scope of risk. When a data breach occurs, the breach is contained to these smaller risk domains and prevents hackers from being able to laterally move around the entire organisation, preventing sensitive information like credit card details being accessed. Moreover, by overlaying security on the infrastructure using layer 4 encryption to protect data in motion, it actually becomes unable for hackers to view what data in sensitive, and where it sits in the organization, further reducing risk.

The real question is: how many more retailers have taken the ‘do nothing’ approach like Dixon’s obviously have?”

Niall Sheffield, Lead Solutions Engineer at SentinelOne:

“As the latest in a long line of big companies admitting data breach and loss of data, the public’s trust in the ability of these companies to safeguard their data is being eroded. Companies need to show their commitment to keeping their customers safe by investing in technologies and processes that ensure integrity. If companies are unable to do this, then regulations such as GDPR are going to publicly shame and fine these companies, as well as customers going elsewhere.”

.

Simon Cuthbert, Head of International at 8MAN by Protected Networks:

“This breach is just another example of an organisation failing to protect their most important asset – data. The repercussions will likely be extensive in terms of financial damage, reputational damage and customer loyalty. Not to mention – this is the first breach case since the GDPR deadline passed on the 25th May. It will be interesting, and noteworthy, to see how the ICO respond to this breach as it will likely set a precedent for those that follow, and certainly kick others into action if they haven’t already ensured they are meeting, or at least attempting to meet, the new requirements.

If Dixons Carphone are unable to provide information on who accessed the data, when, and what they did with it, and deliver a report that evidences this, then they stand a risk of really falling foul of the regulator. Organisations need to ensure they have visibility of who has access to what data, and what they are doing with it, and demonstrate they are taking the necessary steps to protect their data.”

Patrick Hunter, EMEA Director at One Identity: 

“Another High Street business has been targeted and successfully hacked.  Retail companies are always going to be a good source of credit card and personal information as companies, like Dixons, collect a lot of customers.  The first major example of this was the Target breach in the US and this caused a massive amount of negative news for Target themselves but it should also have been a warning.

All companies in the EU have a duty to have maximum data privacy by default and, although this breach was last year, they should have been better prepared to meet the exacting standards of the current iteration of GDPR.  Dixons haven’t said that the data lost was encrypted for example – a simple measure that would have protected their customers’ data.

There is no information on how the breach was made but they stated that they are now working with experts to better protect themselves from a further attacks.  Yet again, the customer data has been on the balance with ‘cost to protect’ on the other side of the scale.  Risk – were they betting on not being attacked or did they genuinely believe that they had best security practices in place?  We can certainly suspect that there are companies out there that are doing just that, they are hoping their networks are not attacked.  This is no longer good enough.

Simple measures can be put in place to mitigate these breaches.  Two factor authentication is a relatively simple way of restricting access to resources and can be a cost effect solution.  We don’t know how Dixons was breached, whether internal or external, it doesn’t matter.  You can protect the data by locking away the passwords needed to access it and automatically change them regularly.  In order to get that password, you need permission from someone else in a position to make that decision.  This can be further enhanced by limiting the access employees have in general; understand what they can and cannot do, not should or maybe.  Any organisation that holds our data has to do more than hope they won’t be the next breach in the news.”

Andy Norton, Director of Threat Intelligence at Lastline:

“This is not the first time Dixons has been breached; They just paid a £400,000 fine for a 2015 breach of subsidiary company Carphone Warehouse. This will be an interesting precedent, as the the breach occurred pre-GDPR enforcement date, but the impact to victims will happen post-GDPR enforcement date. It will also be a dilemma for the ICO office, who has shown a preference not to impose large GDPR like fines. However, this is now the second occurrence and the ICO office will not want to be seen as being tolerant of data breaches.”

Itsik Mantin, Lead Scientist at Imperva:

“Modern businesses rely on data more than ever to carry out their operations, but the value of data comes with a growing business risk.

Dixons was “lucky” to have had the breach before the GDPR regulation became effective, and the impact of the breach on their business was limited to 5.5% fall in the share price.

Had the breach happened later than May 25, and if found guilty of not taking proper measures to protect their users’ data, they could have suffered the higher barrier of the GDPR’s monstrous fines.”

Luke Brown, VP EMEA at WinMagic:

“Breaches like this one are becoming all too common, and whilst the scale of the Dixons incident is huge, they’re not even a surprise any more.  What is surprising is that organisations are still playing fast and loose with their customers’ data.  It’s all well and good taking action to close off the unauthorised access, as Dixons has done in this case, but in reality this is simply closing the barn door after the horse has bolted.  The data is still out there.  A sensible posture that organisations should adopt is to assume their systems will get breached – because they will – and then put in place processes to minimise the risk.  Perhaps the most simple thing to do is to ensure all your data is encrypted.  That way if the worst does happen, the data will be unreadable to anyone who’s not authorised to read it.  Simple.”

Jan van Vliet, VP and GM EMEA at Digital Guardian:

“Dixons is just the latest in a long line of companies to have suffered a huge data breach.  As its CEO has acknowledged, when a company gets breached and loses data, the response and actions of the board and management team become hugely important.  In this instance, the company has attempted to bolster its cyber protection by bringing in experts and implementing extra security measures to its systems.  I can’t help but think this is simply too little, too late.  Dixons must thoroughly investigate what led to the breach and data loss, then build a remediation strategy that can help to avoid those same pitfalls in the future.”

Rich Campagna, CMO at Bitglass:

“It doesn’t matter if it’s a careless mistake or a malicious attempt to leak data, organisations must put in place measures to identify sensitive customer data and build controls around when that data can be accessed and by whom.  In this latest incident, simple data security rules could have been put in place to prohibit such a large volume of data from being shared outside the organisation without internal approval.  Retailers are major targets and will see any and all lapses in security exploited by malicious individuals, both internal and external.  As organisations make customer data more accessible to individuals and new systems, they must make information security their top priority.”

Stephen Gailey, Solutions Architect at Exabeam:

“This may end up being the first test of the ICO which recently fined Carphone for a 2015 data breach saying its protection was inadequate.  This second large breach demonstrates that little or nothing has been done by the group to improve that situations.  Will the ICO now use its extended powers and ability to fine or will it come under pressure to lay-off embattled high street chains?”

.

Tom Miller, Senior Vice President at Virsec:

“There are disturbing refrains we hear over and over with incidents like this, such as the claim that “There is no evidence” that the exposed payment cards were actually used fraudulently, yet the company didn’t discover the breach for over a year. If they were blind to the breach, not seeing evidence of fraud is hardly convincing.

“Also disturbing is the comment that “There is not connection to the previous incident” (the 2015 massive breach of Carphone Warehouse). Of course there’s a connection – the same organization got breached, fined, didn’t take adequate steps to change security, and got breached again.

“One hopes that the GDPR will raise the bar for accountability, but harsher penalties will not stop these incidents from occurring until business start seriously rethinking how they secure sensitive customer data.”

Robert Capps, Vice President of Business Development, NuData Security:

“As we all know, credit card information, combined with other user data from other breaches and social media, can build a complete profile. In the hands of fraudsters and criminals, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the internet and in the physical world.

“Bad actors keep taking advantage of the smallest gap to steal customer data. For this reason, we must change the current equation of “breach = fraud” by changing how companies think about online identity verification. Companies need to protect all customer data, but more importantly, they need to make it valueless.

“Multi-layered technology that thwarts fraud exists right now. Passive biometrics and behavioral analytics technology are making stolen data valueless by verifying users based on their inherent behavior instead of relying on their data, such as credit card information. This makes it impossible for bad actors to use stolen data, as they can’t replicate the customer’s inherent behavior attached to that data.

“The balance of power will return to customer protection when more companies implement such techniques and technology.”

James Hadley, CEO & Founder at Immersive Labs:

“Cyber criminals continue to develop and carry out sophisticated attacks on the retail sector where personal data and payment information are often transmitted and stored in unsecure ways. Companies, including those in the retail sector, need to ensure they have both technical solutions and skilled technical staff to reduce risks to acceptable levels.”.