Weekly podcast: Jewson, Huddle, Equifax (yet again)

This week, we discuss security breaches at Jewson and Huddle, and Equifax’s post-breach losses.

Hello and welcome to the IT Governance podcast for Friday, 17 November 2017. Here are this week’s stories.

The builders’ merchant Jewson has informed customers that its Jewson Direct website suffered a security breach in August that could have compromised personal information including payment card details.

In a statement published on its main website (which Google handily identifies as not secure), Jewson said:

“The breach was discovered on 3 November 2017. On becoming aware of the breach, we have temporarily shut down the website www.jewsondirect.co.uk.

“We have notified 1,659 customers whose data may have been compromised and are offering free credit monitoring to those affected to help detect any potential misuse of data in the future.

“Only the Jewson Direct website was affected by the security breach.

“Our main website www.jewson.co.uk , our credit account customers and transactions across our branch network are not affected by the security breach and are operating normally.”

The Register, which broke the story on Tuesday, saw a copy of the letter Jewson sent to affected customers. It said that customer “names, location, billing address, password, email, phone number, payments details, card expiry dates and CVV numbers ‘may’ have fallen into the hands of an ‘unauthorised person’” as a result of the breach” – which is “odd” considering Jewson claims not to store cardholder data.

The Information Commissioner’s Office is investigating.

The BBC’s technology reporter Chris Foxx reported on Monday that one of his colleagues discovered a security flaw in the content collaboration tool Huddle when he inadvertently accessed private documents belonging to the big-four accounting firm KPMG.

The BBC correspondent had tried to sign into his BBC account to access a shared diary, but was accidentally logged into a KPMG account instead, where he found he had “full access to private financial documents” including “invoices, and an address book”.

According to the BBC, the problem arose because Huddle didn’t generate unique authorisation codes for each user during the login process. If two users “arrived on the same login server within 20 milliseconds of one another, they would both be issued the same authorisation code. […] Since both User A and User B present the same authorisation code, whoever is fastest to request the security token is logged in as User A”.

Huddle has now fixed the flaw so that no two users are ever simultaneously issued the same code, and has apologised to its customers.

The bug affected “six individual user sessions between March and November this year”, it said. “With 4.96 million log-ins to Huddle occurring over the same time period, the instances of this bug occurring were extremely rare.”

Finally, time for this week’s Equifax update (because this particular story looks likely to run and run). According to its Q3 results, Equifax recorded $87.5 million in expenses related to the hack during the quarter and its net income dropped 27% compared with Q3 2016.

“The cybersecurity incident has had a negative impact on our reputation, and we cannot assure it will not have a long-term effect on our relationships with our customers, our revenue and our business,” it said in a quarterly filing with the Securities and Exchange Commission.

Perhaps more alarming for its shareholders, it admitted: “We cannot assure that all potential causes of the incident have been identified and remediated and will not occur again. […] If we experience additional breaches of our security measures, sensitive data may be accessed, which could cause us significant additional legal and financial exposure and damage to our reputation that could have a material adverse effect on our business.”

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.

Oh, one last thing: as you probably know, it was Patch Tuesday this week. (If you don’t, Microsoft releases its security patches on the second Tuesday of the month. Patch Tuesday. See?) This month, Microsoft issued fixes for 53 CVE-listed flaws, 19 of which are rated critical. Update now if you haven’t already.