We're not Mr Brightside: Asda Car Insurance broker hacked No customer data was exposed after the firm behind Asda Car Insurance was hacked, said the broker as it explained why the ACI website went offline earlier this week. Reg reader and Asda Car Insurance customer Arthur forwarded us a notice he received from Brightside Group, who provide white label insurance products for Asda and …
Quite. It's annoying when they say this so early on, they can't possibly know the impact or scale of the breach so soon.
I'm not a customer of any of their sites but if I were in the event of breach I would be happier to be told "At this time we are confident that no customer data was accessed, but are performing a thorough investigation to verify this. We will inform you if any of your data is affected." than to be told my data isn't affected initially and then told it is later.
"Quite. It's annoying when they say this so early on, they can't possibly know the impact or scale of the breach so soon."
Coming "clean" so soon, is better for business in the long run, than the alterative: Don't say a damn thing, and wait for someone else to report credit card records and other personal information were stolen.
But if you think that no-one will ever find out, then the second 'don't say a damn thing' response is the preferred.
It's all about damage control, that is, *theirs*, they don't actually care about end users unless those end users find out.
At least ACI have come clean.
I'm convince Flybe has been breached recently as I've started receiving some spam (not a lot - yet) to an address I only use with them. They don't publish a straightforward customer services email address so I've sent an email to both their tech support AND Data Protection ones, and have so far heard bugger all back. So either they're keeping stumm, are too clueless to know, or quite possibly no-one actually monitors those mailboxes!
"I'm convince Flybe has been breached recently as I've started receiving some spam (not a lot - yet) to an address I only use with them."
Was that address of the form flybe@domainname ?
I used to adopt addresses like that when handing them out to companies, websites, etc - but I'm not sure they're a valid way to monitor and control an address. I think some spammers may be trying common company names @knowndomainnames in order to get their crud to people like us.
I now generate a unique 7 - 10 character string to go before the @, with certain (undisclosed) characteristics so I can recognise if its an email I genuinely gave out, and check my records to see who to.
I think using this approach (for now at least) I'm less likely to falsely accuse CompanyXYZ of letting my email address out of the bag when, in fact, it was just pure bad luck that a spammer chose their name @ the domain I use for this.
Zero Days? Shellshock? Social Engineering? Any of the above.
I'd ask "Compliant with what, exactly?".
TBH their response should be contrasted with recent mass-theft of CC data from major retailers, where they lost it, didn't know they lost it, and then didn't admit they lost it when they found out.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
