Your customer details...
The new Gold, better than gold!
That's how many in the past two months? Some people have been really, really busy..
Carphone Warehouse has taken three days to go public about a serious data breach affecting nearly 2.5 million customers – with the confession that up to 90,000 subscribers may have had their credit card info ransacked. The company said on Saturday afternoon that it had first discovered its systems had been violated by a " …
I voluntarily give Microsoft my details each year. I sign many agreements with my name, address and other details, I also sign electronic agreements with my info too. I get sent one email per year from them, I have never had an unsolicited email, phone call or snail mail from them.
So Carphone Warehouse get hacked. Its always a sophisticated hack because they can't admit their security is utter shite, I'm surprised they don't claim they were hacked by a Nation State to try and shift the blame elsewhere.
They then compound their stupidity by telling the customer its their responsibility to sort out issues. What a bunch of utter clueless fuckwits. I'm pleased I pay for all my PAYG with cash as I need it.
Epic fail.
So obviously not our fault. What could we do? So no compensation for all the inconvenience changing CC details, passwords, pins and ongoing identity theft risk, because, well, how could we ever be expected to defend ourselves against an attack as sophisticated as that.
Yeah, right. Funny how *all* these attacks are sophisticated.
Had to downvote your post about downvotes because, well, thats generally what happens around these parts. There's been many a time I've started to write a rant about downvotes on my posts, even on posts that contain simple undeniable facts rather than opinions, but then thought better of it. Its best just to ignore them.
"The usual waffle about announcing a breach and then saying your security is important to us."
I have a lot of important things on my To-Do list as well... doesn't mean that I will tackle them any time soon, since there are different shades of importance, and then there's priorities, and meetings about priorities and backlogs with lots of important things... Sounds familiar, Carphone Warehouse?
Are there any recognised qualifications that I could try for to prove that I have been trained to a suitable level in the design of secure computing systems? Something like the Microsoft Certified Professional programmes.
It seems to me that the industry should start insisting on such things. Recently I've been looking at a lot of job adverts, but haven't seen any requiring knowledge of IT security.
Are there any recognised qualifications that I could try for to prove that I have been trained to a suitable level in the design of secure computing systems?
Lots and they are about as effective as an MCP.
Recently I've been looking at a lot of job adverts, but haven't seen any requiring knowledge of IT security.
If you look for IT Security jobs you will see this.You really will.
There are dozens and dozens of IT security certification schemes and training courses. It is very much courses for horses, and everyone will have an opinion as to which are good and which are crap. The SANS courses are generally very, very well regarded but they arent for everyone.
I'm not looking for an IT security job, its more that all IT jobs should have a proven competency in IT security as an absolute requirement. Sadly they don't. Until then such SNAFUs will keep on happening. I do take your point about SANS, but I am thinking more along the lines of something like an NVQ in IT security as being a minimum for all IT professionals.
"its more that all IT jobs should have a proven competency in IT security as an absolute requirement" -- Swiss Anton
IT jobs don't even require proven competency in IT, let alone the subcategory of security. With a degree in genetics and a PhD in biochemistry this suits me, although it staggers me that after a few hours reading code in a language I didn't know before, I can spot huge errors (by which I mean ones that are simultaneously trivial and massive) committed by soi disant software 'engineers' or even 'architects', more often than not with the hideously undeserved prefix of 'senior' or even 'principal'.
The problem is always (upper) management. They are the ones who tell HR to hire from the very bottom of the barrel; the ones that feel almost any form of testing is a waste of budget; and the ones who, time and time again, emerge absolutely scot-free, shrugging off any consequences, either direct (fines or jail time) or indirect (damage to their careers).
Although it would be nice to think this is a problem that could be approached from the bottom, with certification, professional bodies and meaningful qualifications, after a few decades in the industry I am more and more convinced that it can only be solved top-down. It should not be acceptable for CEOs to issue, via their spokestards, meaningless apologies referring to utterly unsubstantiated 'sophistication'; notifying the authorities too late ('because we wanted to establish the scale of the breech') and transferring all responsibility for cleaning up the mess onto the victims themselves.
The Data Protection Act requires that: "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
Failure to comply can lead to fines for the company and the company directors.
So if CW cannot demonstrate that the technical and organisational measures they had in place were "appropriate" [in the light of increasing prevalence of cyber attacks] then both the company and its directors may be liable for HEFTY FINES.
I'm not looking for an IT security job, its more that all IT jobs should have a proven competency in IT security as an absolute requirement. Sadly they don't. Until then such SNAFUs will keep on happening.
You could have every member of your IT staff trained and qualified in IT Security, but if your beancounters and middle management don't have an appreciation of the need for security, it ain't going to be implemented correctly.
Yes (if you must get certified) ...
SSCP for techies
CISSP for architects, managers and techies
They are comprehensive on the best practices... Just reading a CISSP or SSCP study guide and applying the detail would be a good start.
There are also good best practice guides from SANS and OWASP.
Don't get hung up on cyber security job titles though .. my job entails security engineer, analyst and architect roles but I've been too busy over the last 20 years to get certified.
>Are there any recognised qualifications that I could try for to prove that I have been trained to a suitable level in the design of secure computing systems? Something like the Microsoft Certified Professional programmes.
You forgot the Joke icon, my friend. MCP, MCSE, or MCSD, to anybody knowlegeable in Casio or Texas Instruments calculators or more advanced IT systems means window and surface specialist, good with vacuum cleaners and mops, not to be allowed near anything digital.
When you sign up for a contract, they usually ask for your bank account details for the direct debit for your monthly payment, and they also ask for your credit card details. If there is any up-front charge, they normally charge this to a credit card. If there isn't, they normally make a tiny charge (1p, sometimes) to the credit card as a form of identity verification. (Credit card companies don't like this practice, but it still happens fairly often).
Carphone Warehouse have bought many other businesses over the years. This includes a number of web based mobile phone dealers - e2save, mobiles.co.uk and onestopphoneshop. They have typically kept these brands alive as separate brands. If you go to their websites, it is not obvious that they are Carphone Warehouse unless you read the small print (although if you actually buy a contract from them, they then become open about it after you have signed up). The prices on these websites are usually better than those on Carphone's own branded website or in their store, so I have bought phone contracts that way. I haven't yet received an e-mail from them telling me that they have lost my data, but maybe I will.
What it seems is that Carphone have not fully (or possibly at all) integrated their customer records from all the businesses that they have bought. Probably their systems are a horrible ad-hoc mess of incompatible systems nastily stitched together. Security practices are probably inconsistent and of varying quality. They have therefore had some customer records compromised and not others, and they took three days figuring out precisely which.
...and within the next week or so there'll be another article about how we all use/re-use bad passwords. As if that will make any difference. I try to make an effort with passwords for any site I give my credit card/personal details to, but clearly I might as all well use "password" for all the good it'll do.
Am I missing the point but having signed up to a contract last year (2 year contract) where the direct debit is set up and charged via the service provider (CPW work on commission) - why are they storing my details used at the point of initiating the contract that should no longer be needed?
If they did not have them (as no longer required) would that not limit everyone's risk? and doesn't the data protection act say something along the lines of not storing data beyond its requirement?
To top it off their resolution is solely to say email a sorry letter inferring the clients pick up the bill on time, effort and payment to other companies that may be incurred for their failure (minimum should be signing up those breached to on going free credit checks for a certain period of time).
But...
If they did not have them (as no longer required) would that not limit everyone's risk? and doesn't the data protection act say something along the lines of not storing data beyond its requirement?
The other bits of HMG that are not subject to that law (MI5/MI6/CGHQ etc) will demand that those records are kept for at least 10 years. Can't have the plebs laundering a few squid now can we eh? Gotta keep track of everyone just in case they start supporting IS etc etc etc
Then there is the Taxman (cometh). They are a whole different Kettle (EU Size approved naturally) of Fish.
So do you really want to be the person who deletes some possible vital (in the eyes of somene else) bit of data?
"The other bits of HMG that are not subject to that law (MI5/MI6/CGHQ etc) will demand that those records are kept for at least 10 years."
Simple solution: CW copy all the records that they no longer need onto a USB stick, delete the records from their own systems, and give the stick to the spooks. Any subsequent breaches of those records can be blamed on GCHQ.
But yeah, the spooks aren't actually *helping* the nation's IT security if they force commercial entities to retain records long after they have any value to the commercial entity that is paying for the storage.
Utterly rubbish. Why should I have to pay for credit and security checks/alerts with people like Experian because Dixons Carphone can't be bothered to do security properly themselves?
I got the email about my credit card details being compromised as a Mobiles.co.uk customer even though I got a contract with o2 through them over 6 months ago and I pay o2 directly. Why have they held my card details??
Obviously cannot and should not be trusted.
You shouldn't - if they were genuinely interested in their negligence and in showing good faith they would have already contacted the likes of Experian and negotiated a deal to cover all those to be able to check for a period of time (I vaguely remember Worcester City Council losing personal data and covering those impacted for 2 years along with enrolment into other monitoring schemes)
By the email advising they are limiting their liabilities, placing the onus on you whilst knowing only a few will run the gauntlet on the financial lose accrued in following their guidance due to their issue i.e. £90 x 1000 customers not giving up the blockers in pursuing financial loss is a lot less than 2.4 million customers x £5 (p.s. I am speculating this is how they will look at it - the £90 is 6 months Experian cover - the £5 is a complete guess but would be surprised if they could not get it below that).
AFAICT this is TalkTalk helpdesk's response to their customers who signed up via Carphone Warehouse. So it's not difficult to envisage the situation that TT encrypt (?hash) customer passwords at their end but CW don't leading to a situation where only some TT customers, those from CW, have unencrypted passwords floating about and the rest don't.
Not being a customer of either I'm not sure about processes here but does this imply that the same password is being passed between the companies?