ICO: Seriously insecure system allowed unauthorised access to DB
Carphone Warehouse has been handed one of the largest ever fines – a whopping £400,000 – from the UK’s data protection watchdog after exposing the details of millions of its customers.
An investigation by the Information Commissioner’s Office found a “striking” number of “distinct and significant inadequacies” in the phone company’s security arrangements.
This allowed the miscreants behind a cyber attack that originated from an IP address in Vietnam in the summer of 2015 – and which went on for a whopping 15 days before being detected – to gain access to millions of individuals personal information.
Commissioner Elizabeth Denham said: “The deficiencies in Carphone Warehouse’s technical and organisational measures created real risks of such data breaches [and]played an essential causal role in this particular incident.”
Affected information included the names, dates of birth, addresses and phone numbers of more than 3 million customers; the staff records – including car registration numbers and work usernames – of 1,000 employees; and historic transaction details – like card numbers and expiry dates – for March 2010 to April 2011 for 18,231 payment cards.
The £400,000 fine matches the record fine doled out to TalkTalk in 2016, with the ICO saying that the “glaring shortcomings” in Carphone Warehouse’s systems should have been identified earlier.
“It is particularly concerning that a number of the inadequacies related to basic, commonplace measures needed for any such system,” commissioner Denham said in her report.
“These inadequacies appear to have persisted over a relatively long period of time, given how easily and quickly some of these glaring shortcoming should have been identified and remedied.”
The report (PDF) details the vulns exploited by the attacker, who made a scan of the system using penetration testing tool Nikto.
It identified a “considerably out-of-date” WordPress installation that was exposed to the internet and “suffered from multiple vulnerabilities” the ICO said.
Via the WordPress installation, the attacker/s entered the system and uploaded web shells that were intended to give themselves basic file management and database functionality.
The hacker then located credentials in – yep, you guess it – plaintext, which they used to search and access information in numerous databases, including those containing personal data.
The ICO said the apparent aim was to extract “as much information as possible”. For instance, the payment information was located and accessed, with “a very realistic possibility” that it was exported.
The attacker also prepared and extracted a large file or files from the network, the contents of which cannot be determined – but the firm has worked on the worst-case assumption that they contained personal data.
As part of its assessment, the ICO commissioned two reports, which concluded that the attacker “clearly had everything he needed to take hold of the system and extract a large amount of information quickly”.
Carphone Warehouse said in a statement that it accepts the decision and is “very sorry for any distress or inconvenience” caused.
“Since the attack in 2015 we have worked extensively with cyber security experts to improve and upgrade our security systems and processes,” it said. ®