Profile picture
Dafydd Vaughan @dafyddbach
, 14 tweets, 2 min read Read on Twitter
The @iconews issued Carphone Warehouse with a £400,000 fine yesterday for a ‘cyberattack’ which compromised the personal data of around 3.4million people. The report should be read by everyone involved in running IT systems. ico.org.uk/action-weve-ta…
The servers were compromised through a 6 year old Wordpress installation that hadn’t been updated and patched. The attacker uploaded malicious plugins which allowed file and database access.
The attacker had valid admin credentials for the Wordpress installation. But, given it’s age, might not have needed them to successfully attack it.
The servers contained a large amount of personal data, including name, date of birth, addresses, telephone numbers, email addresses, marital status and full credit card information. Although the databases were encrypted, the encryption keys were stored in plaintext on the server.
There was a patch management standard in place. But it hadn’t been followed, and there was no mechanism to identify this.
There was a vulnerability scanning / penetration testing standard in place, which required a pen-test at least every 12 months. But it hadn’t been followed.
There was a policy in place to install antivirus software on all servers. But these servers didn’t have any, and there was no mechanism to identify this.
The operating system used on the servers had the same root/administrator passwords, which was known by 30-40 individual members of staff. There was no explanation for why this was the case.
The system contained large amounts of historical transaction data. Including full credit card data. Carphone Warehouse didn’t know it was storing this information & blamed an external developer for it being there
Their monitoring systems finally picked up the attack, but only 15 days after the system was first compromised, and after the attacker had extracted data from the system.
What makes this report interesting for people running IT systems is that the Information Commissioner deemed that each one of these would have been considered a breach of Data Protection Principle 7 in their own right.
Data Protection Act Principle 7: "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
It’s no good having policies if you have no way of checking they’re actually being followed
Do any of those issues sound familiar to you? You might want to do something about it… /thread.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Dafydd Vaughan
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!