I wasn’t going to blog about Carphone Warehouse being fined £400k by the ICO for a breach, because boring-boring-you’ve-done-this-before, but then I couldn’t help myself.
Carphone’s offence? A data breach. Resulting from poor maintenance of cyber security on an internet-facing webserver.
You remember TalkTalk? They were fined £400,000 just over a year ago. For a data breach. Resulting from poor maintenance of cyber security on an internet-facing webserver.
The Carphone breach actually happened before the TalkTalk breach; the wheels of the ICO may grind exceedingly fine, but they sure ain’t quick.
Carphone said “we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues.”
No. No you didn’t. Because you should have moved after the your breach was first discovered in early August to check if anyone else you knew had similar problems – like, oh, I don’t know, another company you were part of until 2010 and with whom you share a chairman and major shareholder.
Did it not occur to Dunstone, some time between August 5th 2015 and October 15th 2015, to ask at a TalkTalk board meeting whether they’d had a look around for any unpatched vulnerabilities? I mean I’m assuming that word of the original Carphone breach had reached him, since there’s this thing called governance. I may have blogged about it. It’s what chairpeople are for.
I have been writing about the need for companies to focus on cyber security and data protection since 2013. I am not alone. But no-one is listening. Yes, lots of people are spending money on GDPR advice, but a lot of that is going on privacy policies and other paperwork, or trying desperately to redeem fundamentally flawed “big-data” projects.
But I’m not seeing any great stampede to implement real security measures, and I’m still seeing lots of companies without effective patching mechanisms, with unmaintained firewalls, with no implementation of least privilege, without basic encryption, with poorly-trained and under-resourced IT departments, with uncertified suppliers, with support contracts that are silent on security, with no proper security awareness training and so on, and so bloody forth.
Articles 25 and 32 of the GDPR require you to implement appropriate organisational and technical measures to ensure the confidentiality, integrity and availability of the personal data you store and process.
If you don’t get your act together, the ICO will find you and they will fine you. It might not be Liam Neeson, but it will hurt. And it will hurt a lot more after May. How much does it have to hurt before you’re prepared to invest to prevent it, I wonder?