Millions of Carphone Warehouse customers' data got hacked last week. But we're only now hearing about it. Lesson #1: Don't do late PR.
The British mobile-device retailer is "sorry" that a "sophisticated" hacker stole its customers' personal data, some including credit card info. They're "investigating," with the help of "experts." Lesson #2: Don't do lame PR.
Yeah, yeah. It's the usual story. But this time, with a diffident accent.
Oh, and the Dixons Carphone sat on the bad news for three days, before burying it at the weekend. Lesson #3: Don't do cynical PR.
In IT Blogwatch, bloggers furiously facepalm at awful PR. Not to mention: More funny accents...
Your humble blogwatcher curated these bloggy bits for your entertainment.
[Updated 10:54 am and 3:35 pm PDT, with more comment and analysis]
Aunty Beeb speaks peace unto nations:
Personal details of up to 2.4 million Carphone Warehouse customers may have been accessed [including] 90,000 customers'...encrypted credit card details.
…
Carphone Warehouse said it was informing all customers who may have been affected, [that] the attack was stopped "straight away" after it was discovered on Wednesday, [and that] the breach was likely to have occurred at some point "within the last two weeks before Wednesday."
…
The regulator in the area of personal data can impose fines of up to [$775,000] if a company is found to have not done enough to protect its customers' [data]. MORE
And Kelly Fiveash's subeds do their usual SHOUTY HED schtick:
Carphone Warehouse has taken three days to go public about a serious data breach. ... Up to 90,000 subscribers may have had their credit card info ransacked...by a "sophisticated cyber-attack."
…
[But the company] put the onus on customers to find out if their...info, had been stolen.
…
A spokesbeing told us...that the company had taken three days to inform customers of the attack because it wanted to first conclude an investigation...before going public. MORE
So Graham Cluley imagines the worst:
Every piece of personal data about you is a potential extra piece of the jigsaw. ... Imagine, for instance, if a company asks you to confirm your identity by telling it the first line of your address, your name and date of birth. Well, that's now in the hands of hackers.
…
Keep a close eye on your bank statements. ... It would be wise for customers to assume the worst, and consider changing their passwords [and] never use the same password on different websites. MORE
What about that three-day delay? Michael Bolton has his own theory:
Saturday afternoon is the best time of the week to release bad news to bury it. MORE
But what does the company have to say for itself? Here's some vapid, head-in-the-sand PR-speke from its customer FAQ:
This attack was a sophisticated one and is part of the reality of the modern world.
…
We want you to feel safe in all dealings with us. We have also put in place additional security measures to prevent further attacks.
…
We regret any inconvenience this incident may have caused. MORE
And Peter Spence channels Sebastian James, Dixons Carphone buck-stopper:
We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems. We are, of course, informing anyone that may have been affected. MORE
Meanwhile, Drew Olanoff puts down the crayons:
I swear, it’s almost a rule in communications and PR to start out every security-related statement with “we take the security of our blah blah very seriously.”
No ****. MORE
Update 1: "RH" doesn't believe it:
Unbelievable that Carphone warehouse still stores customer data unencrypted. If retailers can't do it themselves, legislation needs to be brought in to force customer databases to be encrypted above say, 100,000, users. MORE
Update 2: So why didn't they notice the breakin? Christopher Williams ponders that question:
Hackers bombarded Carphone Warehouse with online traffic as a smokescreen while they stole the personal and banking details of 2.4 million people [using a] Distributed Denial of Service (DDoS) as a cover.
…
A source with knowledge of the attack...said its online retail systems had come under bombardment before the major data theft was noticed on Wednesday.
…
According to internet security experts, criminals are increasingly using DDoS attacks. ... In the most famous case, in 2011, Sony’s PlayStation Network...was shut down for weeks after the personal and financial details of 77 million customers were stolen. ... Subsequent examples...include a 2012 attack on a bank during which card date was stolen and $9m drained from accounts. MORE
And Finally...
Speaking of funny accents
You have been reading IT Blogwatch by Richi Jennings, who curates the best bloggy bits, finest forums, and weirdest websites… so you don't have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or itbw@richi.uk. Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.