Attacker Breached WordPress Installation Outdated by 6 Years
Britain’s data privacy watchdog has imposed one of its largest fines ever against retailer Carphone Warehouse over a massive data breach it suffered in 2015 (see Carphone Warehouse Hack Exposes Data of 2.4 Million Customers).
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
The Information Commissioner’s Office announced the £400,000 ($675,000) fine on Wednesday, saying that “serious failures” by the London-based mobile phone retailer, which is a subsidiary of Dixons Carphone, “placed customer and employee data at risk.”
The data breach of Carphone Warehouse affected its online division, which operates the OneStopPhoneShop.com, e2save.com and Mobiles.co.uk websites, and resulted in unauthorized access to the personal data of 3.3 million customers and 1,000 employees. Compromised customer data included names, addresses, phone numbers, birthdates, marital status and – for more than 18,000 customers – historical payment card data. Carphone Warehouse employees, meanwhile, saw their name, phone numbers, postcode and car registration numbers get exposed.
“A company as large, well-resourced and established as Carphone Warehouse should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks,” U.K. Information Commissioner Elizabeth Denham says.
“Carphone Warehouse should be at the top of its game when it comes to cybersecurity, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures,” she adds.
As the ICO offers a 20 percent discount on fines that are paid within one month, it’s expected that Carphone Warehouse will ultimately pay £320,000 ($432,000).
Attack Vector: Outdated WordPress Installation
The 2015 breach resulted from an attack that ran that year from July 21 to Aug. 5, when Carphone Warehouse discovered and blocked it.
While the ICO’s breach report says there was “no single root cause” of the attack, it appeared to involve compromising a vulnerable WordPress installation that “was considerably out-of-date, exposed to the internet and suffered from multiple vulnerabilities.” Via WordPress, the attacker uploaded web shells that gave them file management and database access rights, the ICO says, at which point the attacker recovered credentials being stored in plaintext that led to the attacker accessing the databases that exposed customer data.
The ICO says that “Carphone Warehouse initially indicated that one or more [WordPress] vulnerabilities were exploited by the attacker, but has since submitted that valid login credentials were used for the WordPress administrative account.”
Patch Management Failure
Regardless, the ICO notes that attackers had plenty of ways to break in, including via Carphone Warehouse’s WordPress installation, which dated from 2009 and hadn’t been updated since, meaning it was six years out of date at the time of the attack. “Although a ‘patch management standard’ was in place, it was not being followed by the relevant business area,” the ICO’s report says. “No measures were in place to check whether software updates and patches were implemented regularly in accordance with Carphone Warehouse’s policy.”
Carphone Warehouse says it has addressed the problems that led to the 2015 breach.
“As the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues,” the company says in a statement.
“Since the attack in 2015 we have worked extensively with cybersecurity experts to improve and upgrade our security systems and processes,” it adds. “We are very sorry for any distress or inconvenience the incident may have caused.”
Equals TalkTalk Fine
The size of the fine against Carphone Warehouse equals the ICO’s record fine for London-based telecommunications giant TalkTalk in October 2015. The ICO slammed TalkTalk’s poor information security practices after it suffered a SQL injection attack that resulted in the theft of customers’ personal information and said it had not imposed the maximum potential fine of £500,000 ($540,000) because the company had come clean quickly, cooperated with investigators and rapidly mitigated the problem (see TalkTalk Breach Investigation: Top Cybersecurity Takeaways).
In August 2017, however, the ICO again fined TalkTalk, this time for £100,000 ($135,000), after it failed “to look after its customers’ data,” leaving it at risk of “falling into the hands of scammers and fraudsters.”
GDPR Enforcement Looms
The Carphone Warehouse penalty comes just months before the EU begins enforcing its General Data Protection Regulation on May 25, 2018.
Under GDPR, any organization worldwide that suffers a breach that exposes Europeans’ personal information must notify their “relevant supervisory authority” within 72 hours of discovering the breach.
“From 25 May this year, the law is set to get more stringent as the General Data Protection Regulation (GDPR) comes into effect,” the ICO says. “Data protection by design is one of the requirements and must be in every part of information processing, from the hardware and software to the procedures, guidelines, standards and polices that an organization has or should have.”
The ICO maintains a guide to GDPR as well as list of 12 steps all organizations should take now and checklists for data controllers and processors.
Security Research Safeguards
The British government is now moving to pass a new Data Protection Bill that will bring the country’s privacy laws in line with GDPR, including the ability to levy fines of up to £18 million ($24 million) or 4 percent of an organization’s annual, global turnover.
The draft bill would make it a criminal offense to “intentionally or recklessly re-identify individuals from anonymised or pseudonymised data.”
But the government last week introduced an amendment to the bill designed to protect security researchers working in the public interest.
The amendment stipulates that any researcher who successfully deanonymizes personal data will be safe from prosecution, so long as they are not intending to cause harm and also notify the ICO within 72 hours. As an upside, the ICO will liaise with the organization whose data was successfully deanonymized to fix the underlying problems.
Lukasz Olejnik, an independent cybersecurity and privacy researcher who had argued against initial plans to ban deanonymization research and testing, tells the Guardian that the amendments offer “a reasonable compromise” between researchers and the potential that these research exceptions might be abused.
UK is allowing de-identification research/testing to their Data Protection Bill. No total delegalisation. This is great news! I’m happy if my voice changed #DPBill in any case. #GDPR https://t.co/1hooAgyQtK pic.twitter.com/w0UjW50m8m
— Lukasz Olejnik (@lukOlejnik) January 9, 2018
“I’m especially impressed with designing a responsible way of submitting privacy weaknesses directly to ICO,” he says. “In this way, the role of ICO is even strengthened as a mediator between researchers and organizations.”