Dixons Carphone’s handling of the data breach has drawn criticism from the cybersecurity community for demonstrating a poor attitude towards data protection.
“It’s all very well saying that customers financial details are not at risk, or have not been fraudulently used, but they’re missing the point somewhat,” said Robert Wassall, data protection lawyer and head of legal services at ThinkMarble.
“If their attitude is ‘don’t worry because your financial details haven’t been compromised’, that’s a reflection of the wrong attitude towards data protection.”
Another example of “lax security practices”?
For many companies, the incident reflects a long-term complacency around cybersecurity issues, despite the introduction of GDPR.
“Whilst the exact nature of the Dixons Carphone Warehouse’s breach remains vague, ‘unauthorised access’ suggests there may have been a weakness in user authentication systems,” added Klaas van der Leest, CEO of Intercede.
“The breaches are all shocking and regrettable but it shouldn’t come as a surprise given the lax security practices prevalent in many organisations.”
Others accused the company of putting profit interests before adequate security.
“There is no information on how the breach was made but they stated that they are now working with experts to better protect themselves from a further attacks,” said Patrick Hunter, director of One Identity. Yet again, the customer data has been on the balance with ‘cost to protect’ on the other side of the scale.
“Risk – were they betting on not being attacked or did they genuinely believe that they had best security practices in place? We can certainly suspect that there are companies out there that are doing just that; they are hoping their networks are not attacked. This is no longer good enough.”
However, others were more forgiving of the retail giant.
“Any attempt to compromise a business’ IT systems should be a concern, but companies like Dixons Carphone should not be punished for following compliance procedures,” said Robert Rutherford, CEO of QuoStar.
“It is important to recognise that this incident was an ‘attempt to compromise’. The company was merely following procedures laid out by GDPR, which requires the business to alert the ICO even if the data remains protected by strong encryption protocols and robust firewalls.”
Dixons Carphone breach is a “wake-up call” for businesses
Cybersecurity experts were also quick to urge other companies to learn from the data breach – particularly in light of the possible fines it could result in.
“This data breach needs to act as a wake-up call to companies to examine their cyber risk posture. 80% of all threats could be stopped if organisations addressed the basics of enterprise cyber hygiene,” said Nik Whitfield, CEO of Panaseer.
“Achieving this isn’t easy – the bigger the organisation, the more challenging it is to maintain these ‘basics’, such as identifying IT assets, patching systems, secure coding and controlling privileged access.
“If they want to effectively remediate cybersecurity risk and avoid data breaches like these, which they now have to disclose via GDPR, organisations need to move to a proactive approach and in effect start fireproofing rather than firefighting.”
“This latest breach serves as a fresh reminder that the cyber danger still rings loud and clear for businesses. With another organisation falling victim to the threat of cyberattackers, cybersecurity strategies can no longer be managed reactively,” agreed Anthony Chadd, director of EMEA at Neustar.
“This type of incident re-emphasizes the importance of continual security review – to ensure that vulnerabilities are isolated and removed – and also to ensure access to systems is effectively managed and controlled,” added Andrew Clarke, EMEA Director of One Identity.
“All it takes is for one accessible administrative account available to privileged users to be identified and then used in a malicious manner. It also reasserts the need to have a strong discipline on data governance and ensure that only the right people get access to the right information at the right time.”
Dixons Carphone data breach: why did the company take so long to report the incident?
However, one of the biggest concerns was the speed – or lack thereof – shown by the company in reporting the incident.
“The fact that this breach has only just been identified through a routine security review can be viewed from two sides,” said Wassall.
“Yes, it’s great that this breach was identified as it proves that the review process and scanning for vulnerabilities works. On the other hand, the breach began in July 2017, why wasn’t it identified sooner?
“How often is security scanning done, given that it has taken almost a year to be found?”