Announced so soon after GDPR becomes law. Coincidinks?
Dixons Carphone 'fesses to mega-breach: Probes 'attempt to compromise' 5.9m payment cards
Retailer Dixons Carphone has gone public about a hack attack involving 5.9 million payment cards and 1.2 million personal data records. In a statement (PDF), Dixons Carphone said that "unauthorised access" of data held by the company had prompted an investigation, the hiring of external security experts and efforts to shore up …
COMMENTS
-
-
Wednesday 13th June 2018 17:31 GMT TkH11
They have known about a possible data breach since last year. The company's data protection team must be staffed by morons. They could have reported the breach under the Data Protection Act and received a maximum of £500,000 fine, now they have chosen to report the breach under GDPR the fine could theoretically run into the hundreds of millions of £££. Why? Because their turnover is £10billion
-
-
Wednesday 13th June 2018 11:03 GMT Anonymous Coward
There's another weasel clause right there
Can you back-date a firm's data-crimes to escape GDPR fallout? CEO's / Corporate Executives like to back-date their Stock Options! GDPR still leaves lots of room for other weasel clauses:
--------------
https://www.securitynow.com/author.asp?section_id=613&doc_id=740638
-
Wednesday 13th June 2018 11:40 GMT ibmalone
Re: There's another weasel clause right there
Can you back-date a firm's data-crimes to escape GDPR fallout?
One principle of laws is that civilised countries don't generally make things retrospectively illegal. I.e. outlawing the purchase of red lollipops doesn't let you arrest everyone who bought one last week.
What I'm not sure about is where reporting undisclosed breaches prior to GDPR stand, you could certainly be required to report a recent breach that occurred prior to the legislation, as not reporting it is something you would be doing now. (Not having read those requirements in detail I'd guess this is addressed.)
-
Wednesday 13th June 2018 12:11 GMT }{amis}{
Re: There's another weasel clause right there
Can you back-date a firm's data-crimes to escape GDPR fallout?
I asked my company's semi-tame in-house lawyer this question this morning.
His response was that for Criminal law you will be judged and sentenced under the law that was in effect at the time of offending.
What can throw a spanner into the works though is the case law ie the interpretation of law can change and the most current interpretation is always used.
-
Wednesday 13th June 2018 17:35 GMT TkH11
Re: There's another weasel clause right there
The lawyer is right about law not being applied retrospectively, but there is an interesting legal issue here. That of when they reported the breach. They could have reported the breach under DPA but they left it and reported it under GDPR. So which is relevant, when the breach occurred, or when they detected it, or when they reported it?
-
Thursday 14th June 2018 16:54 GMT Lusty
Re: There's another weasel clause right there
"So which is relevant, when the breach occurred, or when they detected it, or when they reported it?"
If only there were some kind of document we could consult to find such answers...Oh yes, they wrote the GDPR down so we don't have to guess.
It's only 88 pages long including <intentionally blank> bits, just read it!!
-
Thursday 14th June 2018 17:27 GMT Andy Humphreys
Re: There's another weasel clause right there
My bet is that they were actually performing a data/systems check for GDPR (a little late) and in that process they found they had been breached last year. So now they know about the breach, they have to report it in under 72 hours. My view is that it points to the theory that they have relevant event logging, but nobody was monitoring it, or, if there was an alert, it was missed or ignored? Either way, seems like a cock-up..
-
-
-
-
Wednesday 13th June 2018 10:06 GMT Pen-y-gors
A fairly basic question...
Why do all these businesses store credit card details? Small businesses have a system where they let a payment provider take the details and just say yes/no. Or even if the details are gathered locally, why do they need to be stored on a customer record once the details have been transmitted to the bank and the payment authorised?
That would expose far fewer bits of critical data. Before now I've refused to develop an online shop for a customer who wanted to store CC details!
And lets face it, if they crack the bank, Worldpay or Paypal you're stuffed anyway. Getting your CC details will be the least of the problems.
-
-
Wednesday 13th June 2018 12:05 GMT Alister
Re: Why do businesses store credit cards
Because unfortunately most of us are lazy and don't want to have to enter our details every time you're ordering something.
Even then, if done properly, there is no need to store the full card details anywhere on the system.
Instead, you store an authentication token from whichever payment gateway provider you use (Verifone, World Pay, All Pay etc) which is generated on the first purchase. This authentication token is unique to the user's card and CVV, and can therefore be used for subsequent purchases.
You would typically store the last four digits of the card, simply to be able to present it visually to the user in their account details on your site, so they can identify the card, but it isn't used for transactions.
The CVV should never, ever be stored.
-
-
Thursday 14th June 2018 06:45 GMT Anonymous Coward
Re: Why do businesses store credit cards
I bought a phone from CPW in January, with a UK card not used elsewhere, Monday get a call to tell me it's been fraudulently used to buy Tesco mobile stuff and viagogo tickets to the value of about a grand.
I suspect Dixons only found out about this fraud because the credit card companys that were seeing fraud linked them..
It also seems to be untrue that CVV data wasn't accessed...
-
-
-
Wednesday 13th June 2018 21:41 GMT Anonymous Coward
Re: Refunds
By law the payment system has to be able to put a refund back on that card. Why it is stored in house and not in the payment system is the real question. Or why it is stored for future automated payments or quick checkouts is the other.
But the storage needs to be there for the refund system as far as I know.
-
-
-
-
Wednesday 13th June 2018 10:49 GMT Lee D
Re: A fairly basic question...
I work for private schools.
They all want to take credit cards etc. on their website, tied in with the school MIS, so that parents can pay for trips, fees, activities, uniforms, etc.
Despite working for many schools over the years, it's never ONCE resulted in anything actually in-house, because it's just such a bad idea. PCI DSS is no simple matter, especially when you want to tie into their school records (i.e. they were here X days a year, so we charge them for X activities / etc.).
Most state schools use a handful of outside providers for their equivalent (which is usually just cashless catering) and let that provider take their percentage to handle all the security.
But all the private schools I've worked in don't risk that, even if they run their own in-house MIS (which makes GDPR so much easier!). They use card machines (and ask people to visit with their card or at best take the details over the phone and type into the card machine as CNP transactions), Direct Debits, etc. or they use something like WorldPay or similar, but they don't store / process card information themselves.
I see PCI DSS as a "good thing". The fact that it discourages people from running their own databases like this is exactly what you want. Unless you have the confidence and evidence that you are able to store this data in the correct manner (and Dixons don't seem to have done a bad job - no CVV, no link to personal data/address, etc. just means a big list of mostly-useless numbers), then you shouldn't be doing so.
And, yes, we do get targeted. We literally get targeted, faked, convincing email pretending to be the bursar (down to first-name familiarity and copying their style) to the finance department asking to pay something urgently, or we get fake "new bank details" for existing companies and when we phone up to confirm are told that they haven't changed their bank details, and phone calls from the scammers to follow up on them. I have reported several to various cybercrime reporting sites linked to the police.
But just having a good process is good enough to stop those kinds of things ("New bank details"? Okay, I'm going to ring your head office details that I have on your previous invoices on another line to confirm that).
However, I can't imagine the carnage if such a place was to store credit card details protected only by the diligence of basic finance staff in an over-worked office. And then consider, that actually the more valuable information is probably in the school MIS anyway. Almost every private school I've worked at holds the details of at least one celebrity, including child's names, real address (not just agent), where they summer, what their mobile phones are, ***who is allowed to pick them up and when***, and potentially lots of personal data (e.g. divorced couples spats with the school, etc.). Before you even get into credit card numbers.
And it's not just celebrities. If you've ever worked for a private school, you'd be aware of who the army brats are, and I can damn well guarantee you one of them has an "anonymised" profile for a reason. But the real information will still be in the database somewhere.
-
Wednesday 13th June 2018 12:12 GMT FuzzyWuzzys
Re: A fairly basic question...
I can think of a few cases...
They want CCs someone wrote some shitty payment system for their website and they don't want to bugger about with trying to tie to a proper payment vendor.
A payment vendor will charge a management fee to handle the transaction and places like "CackPhone Whorehouse" don't want to pay the fees and would rather put your info at risk.
The want the CC data in case you spend money at another company under control of their parent conpany, then they can tie all that juicy data together without having to a)wait for another data breach release on the black market or b) having to pay some shyster to hack Facebook accounts for your toilet habits!!
-
Wednesday 13th June 2018 12:44 GMT Moog42
Re: A fairly basic question...
'Would you like to create an account to make your shopping experience easier next time?'
Right up until we lose it.
11 months is a long time, have they just been holed up in The Winchester hoping it will all blow over? And really not quite sure how they can be so certain that nothing has happened with those details in all that time?
-
Wednesday 13th June 2018 16:59 GMT Stuart 22
Re: A fairly basic question...
"Why do all these businesses store credit card details?"
These are very high numbers for people who elect to have their cards saved when making an online burchase from DSG. Looks more like DSG have logged every purchase.
Given I've bought stuff in-shop and online but not stored - have my details been leaked or not? I await some correspondence from DSG with interest.
-
-
Wednesday 13th June 2018 10:15 GMT mrdalliard
"We are extremely disappointed and sorry for any upset this may cause."
<gah>
What is it about corporate statements?
Instead of "We got compromised and we're sorry we let that happen.", we get that. There's this continual thing in corporate communications where they're "sorry" that an event occurred and they're "sorry" about any inconvenience caused, but why do they word things in such a way that almost distances them from taking any ownership, like "Sorry. We fucked up" ?
Again.
</gah>
M.
-
Wednesday 13th June 2018 11:14 GMT Anonymous Coward
'why do they word things in such a way that almost distances them from taking any ownership'
... Accountability.... That's why Zuk lied to lawmakers for 11 hours straight... Until more firms start taking a 300m FedEx / Maersk like hit to their bottom line, losing your details is just the cost of doing business! As to why firms keep storing card details instead of purging them? ... Billing convenience. So they can always bill you, no matter what, without risk of mistake from repeated entry.
-
-
-
Wednesday 13th June 2018 15:46 GMT James O'Shea
Oh, please... a mere 100 GBP? A pitance. Here in Deepest South Florida, at my local Best Buy they have $300 to $400 HDMI cables _in stock_ and can special order $600-700 cables. My fav Best Buy HDMI cable, the $1095 one, doesn’t seem to be available any more. Or maybe they’re just too embarrassed to admit that it ever existed.
I go to Best Buy mostly to get a laugh, those boys are living in a world all their own.
-
-
-
-
Wednesday 13th June 2018 12:00 GMT David Nash
Re: Information was accessed but hasn't left their systems?
It's completely meaningless. What does "leaving the system mean"? Erased? nobody thinks that's happened. Transmitted to another party - of course, that's what "accessed" means. Unless the hacker was reading the HDD with a compass needle!