Dixons Carphone hack should serve as wake-up call
Security experts have urged companies to decide what personal data is worth defending and adopt an “encrypt-everything” approach in the wake of Dixons Carphone’s huge data breach.
The consumer electronics retailer admitted that hackers were able to gain access to 5.9 million payment cards and 1.2 million personal data records – but that there was no evidence to date of any fraudulent use of the data.
Chief executive Alex Baldock said the company was taking the breach “extremely seriously” and admitted the business had “fallen short” in protecting its customers’ data.
Peter Carlisle, VP of EMEA at cloud and data security firm Thales eSecurity, says cyber criminals are getting “smarter, better and faster”, which has turned protecting customer data into an exhausting process.
“In the best effort to fight cybercrime head on, businesses need to take data security into their own hands, using a combination of preventative – not reactive – processes to throw hackers off track,” he said.
“Once organisations know exactly where their data resides, they need to determine what is worth defending and adopt an encrypt-everything approach.”
With the General Data Protection Regulation (GDPR) in full force, Carlisle says it’s no longer just a lack of customer trust and a tarnished reputation that’s at stake – but also the risk of losing €20 million or 4 per cent of annual revenue.
“A significant amount of money to lose for any business, now the perils of a data breach just got a lot more serious,” he said.
Paul Harris, managing director at cyber security firm Secarma, added: “This isn’t the first time Dixon Carphone has been in the headlines regarding a data breach.
“Cyber security can no longer be seen as an afterthought and whilst increased GDPR fines reportedly won’t apply, this latest incident needs to act as a wakeup call to companies across the UK.”
Paul Cant of US tech firm BMC Software echoed similar thoughts, and stressed that businesses cannot afford to leave cyber security as a “fleeting afterthought”.
“Only by relentlessly examining internal processes can companies discover how their systems storing data are configured, how they’re connected, where any vulnerabilities sit and then piece together a plan to remediate those vulnerabilities and correct them – keeping the personal data of their customers secure,” he said.
According to Steve Schult, senior director of product management at award-winning password manager LastPass, the lines between work and personal accounts are becoming increasingly blurry, which he warned could have a knock-on effect on enterprise security.
“With weak, reused and compromised passwords being the cause of many breaches, a recent study highlighted that 75 per cent of IT executives lacked control over password security in their organisations,” he said. “In many cases, employees are being left to their own devices, with companies failing to implement the right technology to close the divide.
“To counter this problem, it’s important to use unique passwords across all online accounts and change your password if you think it’s been leaked.
“It’s also worth turning on two-factor authentication where possible as this adds an additional layer of protection that will ensure an attacker won’t be able to access an account even if they do obtain the password.”