Tough Lessons: What We Can Learn from the Carphone Warehouse Saga
In insight / By Phil Muncaster / 15 January 2018
I’m not a huge fan of ambulance chasing in PR. As an IT journalist my inbox is usually full of vendor pitches looking to profit off the back of others’ misfortune. But sometimes major cybersecurity incidents warrant a closer look. By learning from the mistakes revealed in high-profile breach incidents, organisations have an opportunity to make sure they don’t suffer the same fate. The 2015 Carphone Warehouse breach is one such incident.
Last week, the firm was fined £400,000 by the Information Commissioner’s Office (ICO) for failings that led a major cyber-attack. This is among the largest fines ever levied by the privacy watchdog, but with the EU GDPR set to land in May, firms should be aware that these penalties could get significantly higher.
Hackers hit the telecoms retailer — owned by the Dixons Carphone group — between 21 July and 5 August 2015, accessing data on customers and employees. This included names, addresses, phone numbers, dates of birth and marital status for over 3.3 million customers, as well as historical payment card data on 18,000 customers. Also compromised were records linked to 1,000 employees including name, postcode, work email, phone numbers and even car registration numbers.
It’s not hard to see how valuable data like this could be to an attacker. Such details are regularly traded on dark web sites as they can be used by fraudsters to commit identity fraud, or at least to craft convincing phishing emails in a bid to elicit even more valuable information such as financial details.
Here’s what happened:
- Attackers used a publicly available pen testing tool to scan for outdated software and common system vulnerabilities.
- They found an outdated WordPress installation riddled with vulnerabilities.
- They were able to access the WordPress admin account (albeit via valid log-ins rather than exploiting one of the vulnerabilities).
- The attackers then uploaded web shells, providing them with file management and other capabilities.
- They located plain text credentials to access local databases containing the sensitive customer and employee data, exporting a large file/files from the network.
A cautionary tale
You couldn’t find a more text book example of malicious hacking and data exfiltration, made easier by the security deficiencies uncovered through subsequent investigations into the incident. A question mark still remains over how the attackers managed to get hold of the valid WordPress log-ins that allowed them to access the internal Carphone Warehouse systems. But as the ICO explains in its report, the firm was still negligent in having no oversight of who had these credentials or any system in place for detecting unauthorised use of these credentials.
Other crucial gaps in Carphone Warehouse IT security included: no enforcement of its corporate “patch management standard”; inadequate vulnerability scanning/pen testing; no web application firewall (WAF); inadequate intrusion detection; shared admin passwords; inadequate minimisation of data; encryption keys stored in plain text in application source code; and no AV on any servers, contravening the company’s own security policy.
The detailed report produced by the ICO shows what can happen when an organisation loses control of cybersecurity. In some cases it had suitable policies — ie for patch management and applying AV to servers — but had no way of enforcing them. It used encryption, but then undermined this vital security step by storing the keys in plain text for the attackers to find. The firm’s approach to access controls was also problematic. There was no evidence of a “least privilege” policy or multi-factor authentication (MFA).
What we can learn
So what can we learn? You can’t simply put in place security policies and then forget about them. They must be enforced and regularly audited. Also, best practice security is so-called for a reason. Things like WAFs, AV, intrusion detection, regular patching, limited access controls, regular pen testing and data minimisation are essential to keeping systems and data secure — and expected by regulators.
It’s still unclear why the incident never resulted in identity fraud for the firm’s customers and employees. Perhaps the attackers bungled their data exfiltration, or perhaps the data was stolen for a purpose other than to make money on the cybercrime underground. The fact that no-one suffered in follow-on attacks might have helped save the firm another £100,000 in fines, but others will not be so lucky after 25 May.
The GDPR will give the ICO the power to levy fines of up to £17m or 4% of global annual turnover, whichever is greater. If a company which describes itself as the largest independent telecoms retailer in Europe can make such egregious mistakes, there may be many more out there that could benefit from a serious review of their internal security.
Read about the ways Nasstar protects client's services in our short guide.