Weekly podcast: Dixons Carphone, Fashion Nexus, Yale and Alaska

This week, we discuss the 10 million affected by Dixons Carphone’s 2017 data breach, the exposure of hundreds of thousands of clothes shoppers’ details, Yale University’s ten-year old data breach, and a return to typewriters for government workers in Matanuska-Susitna Borough in Anchorage.

Hello and welcome to the IT Governance podcast for Friday, 3 August. Here are this week’s stories.

Dixons Carphone’s investigation into its 2017 data breach has found that as many as 10 million customers might have been affected rather than the 1.2 million it initially estimated when it discovered the breach last month.

It said this Tuesday: “While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and there is no evidence that any fraud has resulted. We are continuing to keep the relevant authorities updated.”

Dixons Carphone’s chief executive, Alex Baldock, added: “Again, we’re disappointed in having fallen short here, and very sorry for any distress we’ve caused our customers. I want to assure them that we remain fully committed to making their personal data safe with us.”

The ICO’s investigation is ongoing and it’s still not clear whether the 1998 Data Protection Act or its replacement, the GDPR (General Data Protection Regulation), will apply.

Whichever law is deemed applicable will make a huge difference to Dixons Carphone’s fortunes: it could face either a maximum fine of £500,000 under the 1998 Act, or one of up to 4% of Dixons Carphone’s annual global turnover or €20 million (currently about £17.8 million) – whichever is greater – under the GDPR.

The ICO fined Dixons Carphone’s subsidiary Carphone Warehouse £400,000 in January for “systemic failures […] related to rudimentary, commonplace measures”, when it suffered a data security incident in 2015 in which 3 million customers’ details were compromised.

On Monday, Graham Cluley reported that Fashion Nexus, a web development and ecommerce company, suffered a data breach earlier this month when a security researcher called Taylor Ralston accessed a server containing a database that listed the personal details of a number of online clothing companies’ customers.

The “personal information of approximately 1.3 million users, including password hashes (MD5 and SHA-1, both salted), names, dates of birth, email addresses, phone numbers, and other data” was compromised, he said.

However, in a statement published on its homepage on Tuesday, Fashion Nexus admitted that 642,000 customer records had been exposed – a rather more conservative estimate than 1.3 million.

It said: “We can confirm that, on or around the 9th July 2018, a White Hat Hacker obtained access to one of our servers leading to the breach of several thousand customer records belonging to our clients. These records do not contain any sort of payment card or bank account details and there is no evidence that any fraud has resulted.”

It added: “We would suggest that people change their passwords if they’ve been a customer of AX Paris (axparis.com), Granted London (grantedldn.com), Jaded London (jadedldn.com), ElleBelle attire (ellebelleattire.com), or Traffic People (trafficpeople.co.uk)[.]

“Whilst DLSB (dlsb.co.uk) is named online, customer data was not taken from our server.

“The breach was quickly identified and the vulnerability removed. The ICO has been informed.

“Fashion Nexus take our clients and their customer’s [sic] data security extremely seriously and we apologise that we have come up short in this instance.”

Ponemon Institute’s 2018 Cost of a Data Breach Study found that the mean dwell time of a data security incident – that is, the average period between its occurrence and identification – is now 197 days. The mean time to contain an incident is 69 days. This total of 266 days from occurrence to containment, or nearly nine months, seems a very long time, but sometimes it can take much, much longer.

Last week, Yale University announced that it had discovered a log revealing a ten-year-old data breach on its systems, in which personal information relating to people affiliated with the university before February 2009, including their names, dates of birth, Social Security numbers, Yale email addresses and, in some cases, physical addresses, was compromised.

ZDNet reports that 119,000 individuals were affected.

Yale explained: “Between April 2008 and January 2009, intruders gained access to a database stored on a Yale server.  Because the intrusion happened nearly ten years ago, we do not have much more information about how it occurred.  In 2011, Yale IT deleted the personal information in the database as part of an effort to eliminate unneeded personal information on Yale servers, but the intrusion was not detected at that time.”

The university has offered free credit monitoring services to those affected.

Government workers in Matanuska-Susitna Borough in Anchorage, Alaska have had to resort to using typewriters after a malware infection crippled the Borough’s IT systems last week, compromising computers, servers, networked telephones and its email exchange.

The Borough’s IT director, Eric Wyatt, reported on Monday that the malware attack was “multi-pronged” and “multi-vectored”, and included the BitPaymer (also known as FriedEx) ransomware – a strain linked to the group responsible for the Dridex banking trojan.

Mat-Su Borough Manager John Moosey declared the situation a disaster on Tuesday, saying that disruption to Borough services “may continue for a prolonged time”. Officials are now completely rebuilding the network.

According to Bleeping Computer, Mat-Su’s public affairs director, Patty Sullivan, said: “Without computers and files, Borough employees acted resourcefully. They re-enlisted typewriters from closets, and wrote by hand receipts and lists of library book patrons and landfill fees at some of the 73 different buildings.”

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.