Electronics giant Dixons Carphone has been hit by another cyber-attack, this time involving millions of customer credit card numbers and records. Stewart Twynham looks at the lessons the brand should have learned from their previous breach - but didn’t.
If I had been asked to put money on the most likely candidate for the first post-GDPR breach notification, then Dixons Carphone plc would have easily made my top five.
Back in January this year, their Carphone Warehouse brand received one of the largest civil monetary penalties ever issued by the Information Commissioner – £400,000 – in relation to what was a technically simple cyber-attack back in 2015 which saw the exfiltration of over 3.3m customer records.
The commissioner discovered that none of the servers had antivirus software, and all shared the same administrator password which was known to 30-40 staff members. The websites, which ran on WordPress, had not been patched for some six years and no Web Application Firewall (WAF) was installed. Encryption keys for the databases were stored in plaintext and no one could account as to why the databases held such a large volume of historic customer data in the first place.
Submissions by Carphone Warehouse that ‘unjustifiably high standards of information security’ were being imposed upon them were rejected by the commissioner. Yet, none of this should have been a surprise to the group – the commissioner also noting that around the time of the Dixons merger in 2014 the group had been aware of potential deficiencies and had already implemented “a wide-ranging remedial programme for its information security”.
So, had lessons been learned since the 2015 attack? Were they just incredibly unlucky to be hit again?
The latest attack involved 5.9m credit card records and an additional 1.2m customer records. Whilst technical details have yet to emerge, a look through the 164 pages of the 2016-17 Dixons Carphone annual report suggests that the group has a very long way to go.
The term ‘cybersecurity’ made the boardroom agenda just once – and even then only appeared as a footnote to a wider topic on IT infrastructure. The single biggest risk to a modern day online business (and less than 12 months after a previously devastating cyber-attack) and cybersecurity isn’t sufficiently important to earn its own bullet point.
Incoming CEO Alex Baldock has pledged to significantly increase spending on technology and IT systems following the latest attack, but this has been the Dixons mantra since 2014 - the ‘wide-ranging remedial programme’ implemented at the time failing to prevent the 2015 attack.
The 2016-17 annual report even claims that information security risk had reduced thanks to a “significant and ongoing management effort and investment to reduce this risk exposure” – but once again failed to prevent the latest attack.
The numbers say it all. Their glossy report is long on bold claims about how many tonnes of waste the group collected, the amount of CO2 they saved, the impact of their photovoltaic installations down to the last kilowatt-hour and even how much as a group they’ve invested in LED lighting down to the last penny – but there isn’t a single line item that relates to information security.
Back in January, the Information Commissioner identified problems that were “wide-ranging and systemic, rather than single isolated gaps in an otherwise robust package of technical and organisational measures.”
Rapid growth – both organic and by acquisition – has resulted in the creation of a huge technical debt at Dixons Carphone – and as with any other debt, needs to be at the very top of every boardroom agenda until the matter is finally put to bed.
Until that happens, our personal data will continue to be put at risk by an organisation which is big on promises but fails to implement basic measures that I believe the general public would take for granted.