Profile picture
Dafydd Vaughan @dafyddbach
, 14 tweets, 2 min read Read on Twitter
The @iconews issued Carphone Warehouse with a £400,000 fine yesterday for a ‘cyberattack’ which compromised the personal data of around 3.4million people. The report should be read by everyone involved in running IT systems. ico.org.uk/action-weve-ta…
The servers were compromised through a 6 year old Wordpress installation that hadn’t been updated and patched. The attacker uploaded malicious plugins which allowed file and database access.
The attacker had valid admin credentials for the Wordpress installation. But, given it’s age, might not have needed them to successfully attack it.
The servers contained a large amount of personal data, including name, date of birth, addresses, telephone numbers, email addresses, marital status and full credit card information. Although the databases were encrypted, the encryption keys were stored in plaintext on the server.
There was a patch management standard in place. But it hadn’t been followed, and there was no mechanism to identify this.
There was a vulnerability scanning / penetration testing standard in place, which required a pen-test at least every 12 months. But it hadn’t been followed.
There was a policy in place to install antivirus software on all servers. But these servers didn’t have any, and there was no mechanism to identify this.
The operating system used on the servers had the same root/administrator passwords, which was known by 30-40 individual members of staff. There was no explanation for why this was the case.
The system contained large amounts of historical transaction data. Including full credit card data. Carphone Warehouse didn’t know it was storing this information & blamed an external developer for it being there
Their monitoring systems finally picked up the attack, but only 15 days after the system was first compromised, and after the attacker had extracted data from the system.
What makes this report interesting for people running IT systems is that the Information Commissioner deemed that each one of these would have been considered a breach of Data Protection Principle 7 in their own right.
Data Protection Act Principle 7: "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
It’s no good having policies if you have no way of checking they’re actually being followed
Do any of those issues sound familiar to you? You might want to do something about it… /thread.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Dafydd Vaughan
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related threads

Profile picture
🌳TGIF🌳

📌America deserves to know how
much money Trump is getting from the Saudi government. $3.6B to nuke the Iran deal?

📌Trump’s corruption is a national security issue.

📌Saudis may well have felt emboldened by Trump’s attacks on journalists as the “enemy of the people.”
🌳TGIF🌳

CT: “Trump (and some adult family) negotiated a deal with the Saudis and the Emiratis for 3.6 billion to get rid of Iran nuclear deal and reimpose sanctions. The payment was made in two installments. The first last year and the second earlier in 2018”
🌳TGIF3🌳

📌Trump’s “rhetoric against journalists probably encouraged the Saudis to do it,”

📌“Trump hates journalists & he would not react if we kill one journalist.”

📌Senators warn Congress may block Trump's SA arms deals
Read 89 tweets
Profile picture
UCC had opportunity to comment on the #Data.Protection & Privacy Bill. The enactment of this law is long overdue. A comprehensive law on the collection & processing personal information gives effect to the right to Privacy envisaged under Article 27(2) of the Constitution
UCC welcome the protections offered by the Bill in terms of export of data, breach notification requirements, data subjects access rights, automated decision making, compensation and the right to be forgotten and provision for financial and penal sanctions for breach of the law.
Distinction between Data collectors & data controllers.
The Bill should however clarify & distinguish Data Collectors, from Data Processors & Data Controllers. Clause 2 is inconsistent with international good practice which provides for two broad categories of Data Controllers
Read 17 tweets
Profile picture
💥 Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach - Whistleblower describes how firm linked to former Trump adviser Steve Bannon compiled user data to target American voters - by @carolecadwalla @_EmmaGH theguardian.com/news/2018/mar/…
yesterday FB threatened to sue over the story
The app developed by Aleksandr Kogan's company Global Science Research (GSR) with Cambridge Analytica, collected data on hundreds of thousands of people - but then also collected data on millions of their friends, in ways not allowed by Facebook policy
theguardian.com/news/2018/mar/…
Read 29 tweets
Profile picture
🔥👇READ THIS👇 🔥

NYU School of Law's @BrennanCenter Comments to @FEC on transparency of who is spending BIG BUCKS for online political ads

🚨Google, Twitter, Facebook🚨

@SenateDems @HouseDemocrats @SenateGOP @HouseGOP @StopBigMoney @maddow @ACLU @AP

brennancenter.org/analysis/brenn…
The internet is "a ripe target for foreign adversaries seeking to meddle in elections." The widespread effort by Russian state proxies to influence American politics included covert expenditures on political ads online.

Online political spending, is likely to increase.
#REGULATE
We MUST have transparency for all sources of spending on political ads, regardless of the medium.

🚨FEC has not updated regulations for current realities of internet use.
🚨Congress has also failed to modernize campaign finance rules.

WE WANT ACTION!
@FEC @JudiciaryDems

@CNN
Read 22 tweets

Trending hashtags

#sockpuppets #workingpopulation #OwnersOfNigeriaPLC #GoodbyeDemocrats #opendata #public #dataprotection #AI #Russia #Mueller #8thref #ThursdayThoughts #BlueWave #prisonreform #MiddleClass #healthcare #InternalSecurity #FactFriday #MaxfieldParrish #Blockchain #cyberattacks #DemographicDividend #smarticities #manufacturing #PowerOutage

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!