GDPR

BA Security Fallout

Posted on by Andy Miller

A discovery of the file containing the code used in the recent hack of the British Airways website and app that affected 380,000 transactions has revealed that it only took 22 lines of JavaScript to cause the massive data breach.

Skimming

The hack that took place on 21st August and caused disruption into September is now believed to be down to the injection of a digital skimming file designed to steal financial data from the online payment forms of BA’s website and app. The small skimming file, which was discovered by a cyber-security firm RiskIQ, was used to grab data from BA’s online payment form and then send it to the hacker’s server when the customer hit the ‘submit’ button.

Targeted

The researcher concluded that this was a highly targeted attack where the malicious page in the app was built using the same components as the real website, thereby giving a very close match to the design and functionality of the real thing.

The RiskIQ researcher has described the 22 line digital skimming file implanted by the hackers as “simple but effective”.

Magecart Suspected

The finger of suspicion is now being pointed at a group of hacking operatives known as Magecart. The suspicion is based upon a close match with their modus operandi as highlighted in a recent attack on the Ticketmaster websites where Madgecart also used a similar digital skimmer hidden in a third-party element of the payment process.

More To Come

The attacks on Tacketmaster and BA are believed to be part of a larger campaign by the Magecart hacking group to target big brands, and it is thought, therefore, that more big names will be hitting the headlines soon for data breaches.

Vulnerable

According to some security commentators, the weakest link in payment processes is an obvious place for hackers to strike e.g. by putting older systems or third-party code into a payment chain.

The apparent ease of the attack, which led to the theft of names, email addresses and full credit card details, has led to obvious anger from those affected and criticism of BA by security commentators and professionals.

Big Fine Possible Under GDPR

There is now the real possibility that BA could face a massive £500 million fine (4% of global turnover based on 2017) under GDPR, and this breach is believed to be one of the first really big tests of the new law.

What Does This Mean For Your Business?

Even though the hackers in this case had gone to great lengths to closely tailor their code to the BA site and used a Secure Socket Layer (SSL) certificate, suggesting a serious level of planning and targeting, it still remains a relatively simple method of attack that has exposed vulnerabilities in the payment systems of a big company. The dependable image of BA, the fact that it is such a big brand, and the scale and scope of the theft have caused shock and anger among customers, and there will undoubtedly be substantial costs to BA’s finances and reputation.

As some security commentators have pointed out, there are ways to preventing third-party code taking data from sensitive web pages, and BA should really have been wise to this. In BA’s defence, even encryption of data used in the payment system would not have been effective because the data was intercepted before it had reached the company’s servers.
One positive thing to be taken from this case is that it has alerted more companies to the possibility of this kind of attack, thereby giving them time to build-in defences against it.

Criminals ‘Invest’ More Than Businesses

Posted on by Andy Miller

Research shows that one reason why organisations face constant, serious security threats is that cyber criminals, fuelled by a new cybercrime-based economy are spending much more on cyber attacks than organisations are spending on cyber security.

Cyber Criminals Spending and Reinvesting $Trillions!

Back in 2017, Gartner predicted that organisations would collectively be spending around $96 billion on their cyber-security. Although this is a big number, it is dwarfed by the figures relating to the proceeds of crime.

For example, last year, Cyber Security Ventures predicted that cyber-crime will cost the world $6 trillion annually by 2021, and Bromium’s independent study from April this year showed that the booming cyber-crime economy has generated $1.5 trillion in illicit profits. This figure is the equivalent to the GDP of Russia, meaning that if cyber-crime was a country, it would have the 13th highest GDP in the world!

Although some of these profits have been simply acquired, laundered, and spent, much has been ‘reinvested’ by cyber criminals. This means that there is potentially a great deal more being spent by cyber-criminals on cyber-attacks than is being spent by organisations on cyber security.

Revenues Exceed Those of Companies

In fact, cyber-crime revenues have been found to often exceed those of (mainly SME-sized) legitimate companies, although they can reach the levels of large, multi-national organisations of over $1 billion.

Greater Spending Forecast

Some commentators have forecast hope in the form of much greater security spending by organisations in the not-too-distant future. For example, research company Gartner has noted that, with the average cost of a data breach at $3.86 million (Ponemon Institute figures), and with the recent string of highly publicised data breaches, privacy concerns are becoming the catalyst for increased security spending for organisations. Skills shortages and GDPR are also driving demand for security services.

Gartner predicts that privacy concerns will drive at least 10% of the market demand for security services through 2019 as security and risk management are recognised as being critical part of any digital business initiative. Gartner also predicts that at least 30% of organisations will be spending on GDPR-related consulting and implementation services through 2019.

What Does This Mean For Your Business?

The huge sums being made and re-invested in their activities by cyber-criminals are evidence of a big change in the environment that poses a major threat to data security for businesses. Security commentators have noted that in a world where data has become a valuable commodity, a professional cybercrime-based economy has grown and become self-sustaining system and a platform of criminality that mirrors the platform capitalism model used by big companies. The economic relationships and agents in this criminal system can generate and maintain huge revenue streams that can be used to fund more cyber-crime and other crime such as human trafficking, drugs and terrorism.

The wealth of states is also being used to fund cyber-crime as hacking gangs carry out more state-sponsored attacks (e.g. Russia, China and North Korea) thereby threatening many parts of the UK economy. Clearly, this is a challenging time for UK businesses in terms of planning and spending on security.

Apple Apps Taken Down For Spying

Posted on by Andy Miller

The Mac App Store has taken down a number of well known security apps for the Apple Mac after it was discovered that they are being used to spy on the browsing habits of their users.

Which Apps?

It has been reported that Dr Unarchiver, Dr Cleaner, Adware Medic, Adware Doctor and App Uninstall have all been removed from the Apple-curated Mac App Store on the grounds of spying on users.

Rumbled

A researcher in Germany, identified only by their @privacyis1st twitter identity is credited with alerting the Mac App Store to the fact that the Adware Doctor app attributed to a company called Yongming Zhang (the name of a well-known Chinese serial killer) and the Trend Micro apps were linked to the same suspect IP address in China.

It has also been reported that suspicions and concerns about the apps go back some years. For example, online reports about Adware Doctor from 2016 indicate that the app was using AppleScript to perform actions in violation of Apple’s App Store Guidelines. It has also been alleged that the glowing reviews of Adware Doctor and other applications by the same developer may have been faked.

How?

It has been reported that the suspect apps were able to spy by first tricking the user into giving them macOS home directory access with virus scanning and clear cache options. When this permission was granted, the apps were able to abuse access privileges by gathering browser-history data from Chrome, Firefox and Safari. This data was then sent back to suspected malicious operators.

What Does This Mean For Your Business?

This is not the first time that there have been reports of dodgy apps lurking in legitimate stores. For example, back in January, 36 fake and malicious apps for Android that could harvest your data and track your location, masquerading as security tools were discovered in the trusted Google Play Store. All had reassuring names such as Security Defender and Security Keeper, and many performed some legitimate tasks on the surface, such as cleaning junk, saving battery, scanning, and CPU cooling, but all were found to be hiding malware, adware and tracking software.

Apple generally has a good brand reputation with regards to security so it will undoubtedly be very unhappy to have its name and the store that it curates associated in any way with any malicious apps.

This story is another reminder that, when it comes to apps, even though the obvious advice is to always check what you are downloading and the source of the download, the difference between fake apps and real apps can be subtle, and even Apple (in this case) didn’t immediately spot the hidden aspects of the apps. Also, we often don’t have the time to make checks on the apps that we download, and good reviews and the ‘halo effect’ of the good name of the store that they’re in are often enough of a recommendation for us to act.

The fact that many of us now store most of our personal lives on our smart phones makes reports such as these all the more alarming, and can undermine our confidence in (and cause costly damage to) the brands that are associated with such incidents.

To minimise the risk of falling victim to suspect apps, users should check the publisher of an app, check which permissions the app requests when you install it, delete apps from your phone that you no longer use, and contact your phone’s service provider or visit the High Street store if you think you’ve downloaded a malicious / suspect app.

The bad publicity from this story may also make Apple keen to review its systems and procedures for checking the apps that are offered in the store that it curates.

Superdrug Customers Informed of Hack

Posted on by Andy Miller

Superdrug is reported to have advised online customers to change their passwords after it was targeted by hackers who claim to have stolen the details of approximately 20,000 Superdrug customers.

Hundreds Compromised – Could Be More

To date, Superdrug has confirmed that 386 customer accounts are known to have been compromised, but that it is still working to try to establish the exact number. It is possible, therefore, that the number could be many more.

Contacted By Hackers

Superdrug is reported to have been contacted by a person representing a hacking group and claiming to have hacked their systems, and this person provided stolen customer information as proof. Superdrug was able to confirm the authenticity of the information from their own record of customer email and log-in details. The hacker is reported to have claimed that the details belonging to 20,000 customers were stolen, and has asked for a ransom from Superdrug.

May Have Got From Elsewhere

Even though the assumption is that the mystery hackers got into Superdrug’s systems to get the customer data, Superdrug is claiming this is not the case and that the hackers got the customer login details from other websites and then used those credentials to access accounts on the Superdrug website.

What Kind of Details?

Superdrug has said that, of the compromised accounts that it knows about, names, addresses, some dates of birth, and some telephone numbers may have been stolen, but that no customer payment card details have been accessed.

Actions

Superdrug has said that it has contacted the Police and Action Fraud (the UK’s national fraud and cyber-crime arm) and is offering them all the information they need for an investigation.

Informed Customers

Those customers whose accounts had been compromised were sent an email by Superdrug explaining the situation, asking them to change their passwords, and advising them to change them regularly in future.

Anger Over Tweet

A tweet sent by Superdrug to confirm that the emails received by affected customers was genuine provoked anger, mostly because it failed to include an apology.

What Does This Mean For Your Business?

Although exact numbers of those affected and exact details of how customer data was obtained and accounts accessed have not yet been confirmed, the fact is that at least several hundred customers of a trusted high street brand have ended up being victims of crime, and Superdrug has (at the very least) a PR battle on its hands.

Sadly, Superdrug is one of many well-known companies with data breaches that have made the headlines, affected many customers, and damaged their own company reputations. For example, a Dixons Carphone breach from last year saw the theft of 10 million customer records.

Not just because of possible fines under GDPR, businesses and organisations should be putting customer data protection very high on the list of their business priorities, as strong data security policies, procedures, practices, and defences protect both the customer, the company and its reputation, and a vital and valuable bond of trust between merchant and customer, and send a message that customer security concerns are taken seriously.

Google Location Tracking, Even When Switched Off?

Posted on by Andy Miller

An Associated Press report has accused Google of recording the locations of its users via their mobile devices, even when they have requested not to be tracked by turning their “Location History” off.

Discovered

The apparent tracking without permission was discovered as part of research, when a Princeton privacy researcher noticed in his account that Google has tracked his many different locations along a route after he had been travelling for several days, despite his Location History being turned off.

Also, research has revealed that, even when Location History is paused / switched off, some Google apps store time-stamped location data without specifically asking your permission. For example, Google stores data about where you are when you simply open the Maps app, automatic daily weather updates on Android can discover roughly where you are, and some searches apparently unrelated to your location can also pinpoint your exact latitude and longitude, and save it to your Google account.

Could Affect Billions

It is thought that this could affect around two billion Android and Apple devices which use Google for maps or search.

What Is “Location History” and Why Have It Anyway?

According to Google, Location History is one of several ways to improve the experience of users, and works for features such as Google Maps e.g. if you agree to let Google Maps record your location over time, it will display that history for you in a “timeline” that maps out your daily movements.

Google says that Location History helps you to find the places you’ve been and the routes you’ve travelled. Google states that, when you choose to enable Location History, it records your location data and places in your Google Account, even when you’re not using Google Maps.

What’s The Problem?

The problem is that Google also states that “You can turn off Location History at any time. With Location History off, the places you go are no longer stored.”

Also, researchers have discovered that two things (rather than one) need to be opted-out in order to prevent tracking. Users need to disable both “Location History” and “Web & App Activity” in order to opt-out. Some commentators feel that this has not been made clear by Google.

The Issues

The issues with this are that:

– In the UK, for example, this may constitute a lack of transparency, openness and fairness under GDPR about what users are being told is happening to their data and what is actually happening.

– Users appear to have chosen to opt-out of something / not give their consent to something that relates to their privacy and the security of their personal data, and yet have not been opted-out completely by the company (possible issues of GDPR compliance).

– Some commentators have described it as ‘sneaky’ and it could certainly be an issue that affects the trust of users.

– Location data of this kind has been used by police (in the US) to track suspects, and could also potentially be used by other players e.g. cyber criminals if they had access to the user’s account. This could put users at risk.

– Location data can also be used to target people with location-based advertising. This may be something that users would like to avoid.

What Can You Do To Avoid Being Tracked In This Way?

The Associated Press has produced a guide which details what actions you can take to avoid being tracked by Google, even if your Location History on your mobile device is paused / turned off: The guide can be found here: https://www.apnews.com/b031ee35d4534f548e43b7575f4ab494/How-to-find-and-delete-where-Google-knows-you’ve-been

What Does This Mean For Your Business?

This story should be a reminder, particularly since the introduction of GDPR, that people value their privacy and security, and that businesses now have a strong legal responsibility to take this seriously. Transparency, fairness, and openness are vital when telling your customers what you’re doing /what you plan to do with their data. The issue of consent i.e. your customers choosing to withdraw consent and your business complying fully with those requests should be now be treated very seriously, and there must be consistency with what your company says it is going to do and what actually happens.

Sadly, it appears that all too often, large organisations / companies don’t appear to be handling our data in a way that we would like or have requested. For example, Facebook’s sharing of the personal data of 87 million users with Cambridge Analytica caused widespread outrage, and recently the ‘Deceived By Design’ report by the Norwegian government-funded Consumer Council has accused tech giants Microsoft, Facebook and Google of being unethical by leading users into selecting settings that do not benefit their privacy.

It may be that we have to wait a little longer and see a few more big tech companies being properly held to account before things start to really change for the better for users.

Social Mapper Can Trace Your Face

Posted on by Andy Miller

Trustwave’s SpiderLabs has created a new penetration testing tool that uses facial recognition to trace your face through all your social media profiles, link your name to it, and identify which organisation you work for.

Why?

According to its (ethical) creators, Trustwave’s SpiderLabs, Social Mapper has been designed to help penetration testers (those tasked with conducting simulated attacks on a computer systems to aid security) and red teamers (ethical hackers) to save time and expand target lists in the intelligence gathering phase of creating the social media phishing scenarios that are ultimately used to test an organisation’s cyber defences.

What Does It Do?

Social Mapper is an open source intelligence tool that employs facial recognition to correlate social media profiles across a number of different sites on a large scale. The software automates the process of searching the most popular social media sites for names and pictures of individuals in order to accurately detect and group a person’s presence. The results are then compiled in a report that can be quickly viewed and understood by a human operator.

How Does It Work?

Social Mapper works in 3 phases. Firstly, it is provided with names and pictures of people. e.g. via links in a csv file, images in a folder or via people registered to a company on LinkedIn.

Secondly, in a time-consuming phase, it uses a Firefox browser to log in to social media sites and search for its targets by name. When it finds the top results, it downloads profile pictures and uses facial recognition checks to try and find a match. The social media sites it searches are LinkedIn, Facebook, Twitter, Google+, Instagram, VKontakte, Weibo, and Douban.

Finally, it generates a report of the results.

What’s The Report Used For?

The report is designed to give the user a starting point to target individuals on social media for phishing, link-sharing, and password-snooping attacks.

For example, a user can create fake social media profiles to ‘friend’ targets and send them links to credential capturing landing pages or downloadable malware, trick users into disclosing their emails and phone numbers e.g. using vouchers and offers to tempt them into phishing traps, create custom phishing campaigns for each social media site, or even to physically look at photos of employees to find access card badges or to study aspects of building interiors.

What Does This Mean For Your Business?

In the right hands, Social Mapper sounds as though it could ultimately help businesses to improve their online security because it helps to create much better quality and more realistic testing scenarios on a larger scale that could uncover loopholes and shortcomings that current testing may not be able to fund.

The worry, however, is that in the wrong hands it could be used by cyber-criminals to quickly gather information about a target business and its employees, thereby enabling potentially very effective phishing and password-snooping campaigns to be created. This detailed information could also be shared among and sold to other criminals which could mean that individuals could be subjected to a number of attacks over time through multiple channels.

The obvious hope is, therefore, that enough checks and security measures will be put in place by its creators thereby not allowing the software to fall into the wrong hands in the first place and be used by criminals against the businesses and organisations that it was designed to help.

Microsoft To Launch App-Testing Sandbox ‘InPrivate Desktop’ Feature

Posted on by Andy Miller

It has been reported that Microsoft is to launch InPrivate Desktop for a future version of Windows 10, a kind of throwaway sandbox that gives Admins a secure way to operate one-time tests of any untrusted apps / software.

Like A Virtual Machine

Although the new feature is still a bit hush-hush, and has actually been removed from the Windows 10 Insider programme, it is believed to act like a kind of in-box, speedy VM (virtual machine) that is then refreshed to use again after it has been used on a particular App.

Why?

The reason for the new feature in the broader sense , is that it fits with moves announced by Microsoft last June 2017 to introduce next-generation security features to Windows 10.

ATP & WDAG

Back in June 2017, Microsoft specifically mentioned the integration of Windows Defender Advanced Threat Protection (ATP) as one of the next-generation security measures. ATP, for example, was designed to isolate and contain the threat if a user on a corporate network accidentally downloaded malicious software via their browser.

A security feature that some commentators have likened InPrivate Desktop to, that was also specifically mentioned last June, was Windows Defender Application Guard (WDAG). Interestingly, WDAG isolates potential malware and exploits downloaded via a users’ browser and contains the threat using virtualisation-based security.

Spec Needed For InPrivate Desktop

Although the exact details of InPrivate Desktop are sketchy, we know that it is likely to be aimed at enterprises rather than individual users and that, as such, it is likely to need a reasonable spec to operate. It has been reported that in order to run the new feature / app at least 4GB of RAM, at least 5GB of free disk space, and two CPU cores will be needed.

When?

There is also still some speculation as to exactly when the InPrivate Desktop feature will make it to Windows 10. Some commentators have noted that it may not make it into Windows 10 ‘Redstone 5’, and looks likely to be rolled-out in a subsequent Windows 10 update which has been codenamed 19H1.

What Does This Mean For Your Business?

With support stopping for previous versions of Windows, and with all of us being forced into using Windows 10’s SaaS model, it makes sense that Microsoft adds more features to protect users, particularly businesses.

Adding malicious code to apps has been a method increasingly used by cyber-criminals to sneak under the radar, and having a secure space to test and isolate dubious / suspect apps will give Admins an extra tool to protect their organisation from evolving cyber-threats. It is extra-convenient that the testing feature / app sandbox will already be built-in to Windows 10.

IBM Makes Test Version of New Stealth AI Malware ‘DeepLocker’

Posted on by Andy Miller

IBM has announced that it has created its own stealth, ultra-evasive AI malware called ‘DeepLocker’ that can evade all traditional cyber-security protection, hide in normal applications, and only strike when it is sure it has reached its intended target.

Why?

Cyber-criminals are becoming ever-more sophisticated in their methods, and the resources available to them have increased e.g. as hackers have also worked in state-sponsored activities. Also, the world of Artificial Intelligence (AI) has come along leaps and bounds in recent years, and the fear is that cyber criminals could soon be deploying their own AI-powered malware. IBM has, therefore decided to create its own version in order to see how it works and behaves, and thereby gain valuable information which could help it to reduce risks, and find ways counter such attacks.

DeepLocker

One of the things that makes DeepLocker so different to other malware that tends to take a scattergun approach to infection is that it can hide itself and its intent until it reaches a specific target.

This is down to DeepLocker using deep neural network (DNN) AI model, a sophisticated computer system modelled on the human brain and nervous system. This DNN provides a kind of ‘black box’ that totally conceals the “trigger conditions”, and makes attack almost impossible to decipher and reverse engineer. DeepLocker’s AI can, therefore, even convert its own concealed trigger condition (which has been transformed into a deep convolutional network), into a “password” or “key” to unlock its own attack payload when it identifies its victim. In this sense, it contains three layers of attack concealment.

Hides & Identifies

According to IBM, DeepLocker can hide itself completely in normal ‘carrier’ applications such as video conference software. This enables it to fly completely under the radar and avoid detection by most antivirus and malware scanners. It also allows it to be spread widely and without providing any clues that there is a threat.

What Does This Mean For Your Business?

Malware attacks have cost businesses, organisations and whole economies vast amounts of money and untold disruption and problems in recent times. Evasive malware has been evolving for many years now as cyber-criminals try to find their way around better security measures and more sophisticated sandboxes. AI attacks using ultra-evasive, stealth methods of the nature of DeepLocker represent the next frightening wave of attack that organisations and businesses will have to face. It is a good thing, therefore, that IBM has tried to take the initiative and gain a march on cybe- criminals who will undoubtedly seek to weaponise AI, by creating its own version in order to learn lessons in advance that could provide at least some level of protection and recommendations for counter-measures.

Half of Us Will Activate Our New GDPR Rights Within A Year

Posted on by Andy Miller

The results of a new survey by analytics, business intelligence and data management firm SAS indicate that more than half of UK consumers look likely to exercise their new GDPR rights within the first year of GDPR’s introduction.

GDPR

The new General Data Protection Regulation (GDPR) that applies to those who collect, store and process the data of EU citizens came into force on 25th May this year. The Regulation replaced the EU Data Protection Directive of 1995, is part of EU privacy and human rights law, and was supposed to ensure greater consistency and harmony between data protection laws across the EU by bringing all data protection elements under one law for all countries. This meant that UK citizens appear to have been granted greater levels of protection of their personal data than before.

The Survey Results

The results of the latest post-GDPR SAS survey have been compared to a pre-GRPR survey conducted in 2017, and have shown that more people are planning to (and look more likely to) be exercising some aspect of their new GDPR rights more quickly than was thought after the first survey.

For example, the latest survey results show that 31% have already activated their rights over personal data, and 55% (compared to 42% in last year’s survey) plan to do so within a year.

The Facebook / Cambridge Analytica Scandal To Blame For Increase

The survey puts the Facebook / Cambridge Analytica scandal at the centre of the reasons why more people have already exercised their new GDPR rights. For example, 88% of UK consumers said they were aware of the scandal and, of those, 72% said it had caused them to retract data permissions, as well as planning to share less data or review how companies use their personal information.

One Mistake Enough

The SAS survey also shows that in the wake of being granted new rights and hearing about the extent of the Facebook / Cambridge Analaytica scandal, people are now much less likely to tolerate misuse and mistakes involving their personal data. For example, 45% said they would activate their data rights after only one mistake.

Social Media Companies and Retailers

According to the survey, social media companies and retailers are going to have to work the hardest to retain customer data, and can expect large numbers of requests to opt-out and to have data erased. For example, the SAS survey shows that 43% of consumers object to social media companies and retailers (41%) using their personal data for marketing. Supermarkets (37%), insurers (35%) and energy providers (34%) are the next to be least trusted with personal data.

What Does This Mean For Your Business?

Being on the end of years of annoying spam calls and emails, hearing about multiple high profile data breaches, the Facebook / Cambridge Analytica scandal, and now being granted greater control of how their data is used and shared has clearly made consumers more determined to exercise their rights, express how much value they place on their security and privacy, and take control back by opting-out. Those organisations that have been most in the spotlight for letting consumers down e.g. social media companies and retailers, look likely to face the brunt of the initial GDPR backlash.

An important message that businesses need to take from the results of the SAS survey(s) is that they need to respect their customers and their data or risk losing both, which could, in turn, damage their competitive advantage and hit profits. Yes, compliance with GDPR as a law is an important ongoing goal, but businesses should also remember that transparent data management and analytics are important to provide the kind of personalised customer experiences that make consumers more willing to share their data.

10 Million Affected by Dixons Carphone Data Breach

Posted on by Andy Miller

Dixons Carphone has announced that, after a review following a hack of its customers’ data, 10 million customers rather than the original estimate of 1.2 million have actually been affected.

What Happened?

Back in June, Dixons Carphone announced that a hacking attempt, which had actually taken place in July 2017, had been made on one of the processing systems of Currys PC World and Dixons Travel stores. The original announcement put the figures at an attempted theft of the details of 5.9 million credit and debit cards, with only 105,000 cards without chip-and-pin protection being leaked, and an estimated 1.2 million personal data records being accessed / compromised.

Millions More

This latest shocking announcement puts the number of customers thought to be affected at 10 million!

Dixons Carphone has apologised to customers, and has offered an assurance that the company is fully committed to making their personal data safe.

No Bank Details & No Fraud

Despite the large numbers of customers affected by the breach, Dixons Carphone has been quick to point out that no bank details were taken, and it has found no evidence that fraud had resulted from the breach.

Working With Cyber-Security Experts

The company has stated that it has been working hard with cyber-security experts since the breach and has put in further security measures to keep customer data safe in future.

The updated security measures taken have been reported to include closing off the unauthorised access, adding new (unspecified) security measures, and launching an immediate investigation.

Also, Dixons Carphone is reported to be in the process contacting all of its customers to apologise and advise on what steps they can take to protect themselves.

Other Woes

The massive data breach is one of many woes that the company has been experiencing in recent times. Back in May, it was announced that Dixons Carphone highlighted people not renewing their handsets as frequently and a declining market for long-term mobile contracts as 2 main reasons for the planned closure of 92 of its 700 stores. The company was forced to act after a warning that the next year’s profits could be down £82 million led to shares in the company falling 20.7%. Share values had already fallen by 30% over the previous 12 months,

Market commentators have noted that a fall in the value of the pound (in the wake of Brexit) has made mobile handsets more expensive. Also, technical innovation has slowed, giving shoppers less reason to update their phones, meaning that they have been hanging onto their current handsets for longer.

What Does This Mean For Your Business?

We’re getting so used to hearing about data breaches where millions of people have been affected that we’re in danger of accepting it as normal. It’s important to remember that all companies, particularly with GDPR now in place, have at least a legal responsibility to protect the personal data of their stakeholders to the best of their abilities.

All businesses must surely be aware that cyber-criminals are now using sophisticated and multi-level methods to find their way into whatever weaknesses they can find on a daily basis, and large, well-known companies with millions of customers (and millions of valuable customer details) are obviously going to be prime targets. We should be thinking, therefore, that a large company that is, no doubt, aware of the cyber threats in the business environment, allowing the details of over 10 million customers to be taken, and customers only finding out and receiving an apology a year later isn’t acceptable.

Data protection should now be a priority issue in the boardroom, and even though some companies may be going through difficult times financially, data protection is not an area where they can really afford to let their guard down. The damage to reputations, the loss of customers, and fines from the ICO can now be enough to threaten the existence of a business, and even without the moral and ethical perspective, this should be enough of a motivator to keep businesses pushing to stay at least one step ahead of today’s known cyber threats.