45 comments

[ 3.8 ms ] story [ 102 ms ] thread
A thousandth of the top-end of their expected profits for 17-18. That'll teach them.
It's not supposed to harm them, it's supposed to make it economically sensible for them (and companies like them) to employ one or two people with the sole responsibility of making sure stuff like this doesn't happen.
And when GDPR comes in that will change to make it even more in their economic interest to take these things seriously. The higher of 20 million Euro or 4% of global turnover is enough to start making company boards ask questions about preparedness and impacts.
I don't agree, the ICO is a total joke and hopefully GDPR will allow them/some other body to give proper fines.

There have been cases where spam companies have done 100m SMS/phone calls and got a £100K fine (which they can just prepack away). It's probably a tenth of their telecom cost per call. Just a cost of doing business.

The fact I used to get regularly spammed by the ICO themselves (I edited a magazine on a completely unconnected topic; they insisted on sending press releases that had nothing to do with our subject matter), and they ignored all requests to be removed from their list, has never exactly given me much confidence in them.
That's a different issue, though. In your example, the company is actively doing something malicious, and accepting the fine for getting caught as part of their costs. Other than the threat of a really huge fine (or worse sanctions), they're unlikely to stop.

In this case, it's a company that's not actively trying to be malicious, but rather due to [cost-saving/incompetence] has underfunded IT security to an excessive degree. For them, and others like them, to change their ways it's a lot less self evident that the fine needs to be huge. The fine (and accompanying reputational damage) just needs to be enough to make them, and similar companies, take IT security seriously.

Very different situations, really.

Hopefully this will impact on their profits a little to make the fine have more of an economic impact so that it creates an example to those who don't take data privacy and security seriously.
Yeah but... it's too small to do that. £400k? Hiring two security professionals for 4 years would easily cost that. The average time between fines is more than 4 years, and there's a pretty reasonable chance the security guys would overlook this anyway.

£400k is nothing.

All of this data was leaked through a WordPress plugin uploaded to an old installation; WordPress is one of the easiest platforms to secure (IMO) so can't understand why organisations can't take the short amount of time needed to secure it.
Peanuts. The GDPR strategy of fining a percentage of revenue is the only way to make companies take this seriously.
I'd be interested to know which company thinks a £400,000 needless expense isn't a problem.

I jump through hoops to get a £7 train ticket paid.

Probably £70 after taking account your salary, the salary in the finance dept for reviewing, possibly your supervisor, and all the associated IT costs!
The company is doing £10B in sales, do you think they're going to restructure their IT to be more protective of user data because they got a fine that's 0.1% of their £500M gross profit?

If they let a £10 train ticket slide for each employee it would be more than this fine.

Put that into context, fine me £3 for doing something bad...
The short version is that Carphone Warehouse had a very outdated copy of Wordpress, a database with no encryption of passwords, a generally sloppy infrastructure security-wise, and you can pretty much guess the rest of the story.

While I agree with many others that this is a small fee all things considered, it does put other companies on notice: secure your shit or you'll be held liable (to some degree at least).

They shared passwords - how does that happen in a tech company? UK ICO needs more teeth, these sorts of failings should have punishments so severe that the company can't afford to pay dividends or bonuses.
Section 13 onwards makes for a great read as to how this all went down. The attacker used a common security scanning tool Nikto, which would have told them that WordPress and its plugins were horrifically out of date. Any tool could have found this (WPScan, Nessus.. a manual check through HTML source), but Nikto was likely identified due to some common defaults such as the User-Agent within the requests etc.

Once they identified the vulnerability to exploit, it seems they used genuine credentials to then place webshells on the server which gave them persistence - a low-level reverse shell if you will, allowing them to traverse the file system, execute commands as if they had genuine access. Next up, a quick grep for plaintext credentials that they can then pivot with. There are still questions around how those credentials were obtained, but they'd don't specifically call them out as being default.

The report then jumps to the person accessing databases (including payment card info.. whoops) - the question here is why did a Wordpress instance have access to such data? I can't imagine it would have needed it, so I suspect that they either had one huge DB server containing the backend for this WordPress instance, plus their customer data & payment info databases/tables. Or, the malicious actor traversed the internal network, using the WordPress as a pivot point.

Last point worth calling out, is that they are unsure how much of the data was actually exfiltrated - "[...] the transaction/payment card information referred to above was located and accessed: it cannot be ascertained whether or not some or all of that information was indeed exported, but that is a very realistic possibility." This is a common problem with breaches, and an area what active monitoring can help. By planting unique details/tokens into the database (users, payment information etc.), you can start scanning for them on the clear and dark web. As and when they appear, you can confirm if the data was exfiltrated (and with many honeypots, pinpoint time of the breach). This is one of the many reasons I put BreachInsider[0] together.

[0]https://breachinsider.com

Maybe they had the same database user for the Wordpress as something more sensitive, or maybe apache/php running as a user with more access than needed alowed them to pull more creds from the code for other apps on that box. Good reason to use enviroment variables rather than hard code. Either way, keeping sensitive customer information anywhere near a public facing Wordpress install is nuts, if that's what they did.
possibly the WordPress install did not use a dedicated db user/password - its possible that the root user and password was used.
Good point, the report calls out that the root password for 40+ servers was the same, and that a large number of employees knew or used it. Seems sensible to transfer that same mentality across to other sensitive accounts.
Ouch having worked at BT our internal security would have had afield day with that - but Mobile telecoms where always considered much weaker technicaly.
Wordpress is like a gift that keeps on giving for hackers and blackhats. All it takes is missing one vital upgrade or using an outdated plugin.
Do you have a suggestion for a platform where missing a vital upgrade won't introduce security holes? I'd love to know what it is.
Static content, generated offline.

Each dynamic function remotely hosted by 3rd-party who knows security.

I have a feeling that if you tally up all the times a server was hacked, Wordpress will be the reason for the bulk of them. Yes many platforms when not kept upgraded will have holes, but nothing in the magnitude of the WordPress universe.
Or using an updated plugin that was bought by someone in order to get access to your WP instance ...
I'm in two minds about the actual penalty notice given here.

On the one hand, it's good to see an organisation receiving a real financial penalty after a serious breach, and apparently there were many serious failings in security on the part of Carphone Warehouse.

On the other hand, reading the Commissioner's views in the notice, there is a disturbing amount of commentary about measures not in place at Carphone Warehouse that asserts apparently without evidence that such measures are widely accepted security standards, either acknowledges that these measures may not have made any difference to this kind of attack anyway or implies again apparently without evidence that they would, and then considers the lack of each such measure to be a contravention in its own right.

I'm not sure this is a good thing, because if we took the principles indicated by those views and applied them more generally, I'm not sure many if any organisations would meet the required standards here.

For example, how many organisations that use WordPress to run their web sites have measures in place to detect unauthorised use of legitimately issued WordPress credentials? What would that even look like?

How many small organisations have a dedicated WAF box installed, or the money to run regular independent pentesting or hire suitably qualified in-house staff to do it? (Obviously we're not talking about a small organisation in the case at hand, so maybe the ICO would apply a more liberal standard in other situations.)

There is a reference to transaction data being encrypted but the encryption key being present in plain text in the application source code. Well, OK, but that key has to be present somewhere accessible on the system or you can't access the data at all even for legitimate purposes. If you've got an attacker who apparently already has access to both your database and your runtime system, I'm not sure what alternative they would have preferred to see that would have mitigated the damage materially here. Does it really matter whether the attacker looks at source code or somewhere else like environment strings, if the end result is the same either way?

Compared to obviously terrible practices like not updating externally accessible software for many years so the live version has multiple known vulnerabilities or storing full credit card data including things like CVCs for all historical transactions, some of the issues raised here seem both much more dangerous and much more practically mitigable than others.

Carphone warehouse is run on the cheap it was set up basically by a market trader and that mind set has carried through now they are a much larger organisation.
(comment deleted)
> For example, how many organisations that use WordPress to run their web sites have measures in place to detect unauthorised use of legitimately issued WordPress credentials? What would that even look like?

Install the free Wordfence plugin and you'll get an e-mail whenever someone logs in using an admin account.

Or you can block admin use from unauthorised IP addresses (or whitelist if you own the IP).

I limit SSH access to my ISPs net blocks, that's just a hobbyists personal computer on which I have no legal obligation to protect the data.

Is there an appeal/review process? So the primary issue the have is that their measures, whatever they were, were insufficient to prevent the hack. The definition of "accepted security standards," I think, is debatable in review if the defendant wants to argue that what they had was reasonable. Then they could actually argue their measures vs the Commissioner's ideas on their merits.

Otherwise it reads -- to me, a layman in these things -- like the standard pontification you get out of a prosecutor when they're showing off to the press.

What do people make of ICO's recommendation for production servers to have antivirus software installed? Is this a standard approach to Windows? Is it generally accepted?

Please excuse my ignorance.

I once got my daughter a phone from CW. As part of the process I needed to give them my mobile number - it was a show stopping requirement. About 3 months later I was getting spammed by an autodialler 3 or 4 times a day. The dialler never connected when answered. Calls were always different numbers, never blocked, but always UK based mobile phones. I phoned back and discovered that the recorded message I was put through was for a Telemarketer. But there was no way to stop them. I was already registered with the telephone preference service (TPS) and so should not be getting unsolicited spam marketing calls.

One day, out of the blue I answered the number and there was someone on the other end of the line. I then went through a difficult conversation where I attempted to get out of them why they were phoning me. I found out, (1) the company was called something ridiculous like the "phone delivery depot for your provider" and they were trying to sell mobile phone contracts by using that name when answering calls "Hi this is the 'hone delivery depot for your provider'", I kid you not. He even claimed to be from my mobile provider at one point (no he wasn't, I'd already checked that when I attempted to get them to block the calls.) (2) the guy on the other end of the phone knew quite a bit about me, so had access to data from a third party. (3) it was a total phishing exercise and they were trying to get fees for reselling the customers new fixed term contracts to them after they had become rolling monthlies.

After laying in to him I finally got the route of the data. "We get a lot of our leads from Carphone Warehouse." BING!! The moral of this story is, always read the fine print. I probably in haste missed a tick box or ticked the wrong box - or the girl serving me "helpfully" did it for me on their computer system without asking. Carphone Warehouse are a scummy company, with bad practices, and best advice is to avoid at all costs!

Put yourself on the do-no-call list (if you're in the UK) and never receive a spam call again. And on the very very rare occasion you do, just say "I'm on the do-not-call list by the way" and see how fast they hang up.

http://www.tpsonline.org.uk/tps/index.html

Takes 5 minutes.

> I was already registered with the telephone preference service (TPS) and so should not be getting unsolicited spam marketing calls.

GP already was.

I've been tempted to start answering the phone: "attorney general's office, consumer fraud division, how may I direct your call"
TPS only applies to 'unsolicited' marketing calls

If you've inadvertently agreed to marketing by overlooking some opt-out section of a contract then that counts as consent and TPS means nothing:

https://ico.org.uk/for-organisations/guide-to-pecr/electroni...

The issue is - if you don't understand why the marketers are calling you, it can seem like an unsolicited call. As I mentioned, they never answered the calls till the very last one and that took a good 2 - 3 months. I think they were using an autodialler with PAYG sim cards and refilling it every couple of weeks as I blocked each caller.

The problem was, I needed to answer my phone as I was working away from home at the time. Any of the calls could have been a valid call about my real life. I often got calls from people not in my contact list.. from random clients, my kids' schools, data centres or related to work.

Did that, I keep getting calls from the same scammy 'we hard you have had an accident' company every few months.

Apparently it has been reported multiple times, but the company doesn't have a well defined presence in UK, so they dodge any persecution.

"Who are you and why do you keep calling my daughter" tends to work for me
That's a joke. It would take them a lot more to fix than 400k. Just the pentests + risk assessments would cost more and they would also need to educate their personnel (developers, testers, DevOps, managers), and implement new policies and procedures, SDLC etc. The price of all of that would be well over a million.

400k is not even a slap on the wrist. I'm disappointed.