Big numbers this week: we discuss a data breach affecting 6.42 million SHEIN customers, a potential £30 million FCA fine for Tesco Bank, the UK’s new £250 million cyberwarfare unit, and a $148 million settlement for Uber
Hello and welcome to the IT Governance podcast for Friday, 28 September. Here are this week’s stories.
The online fashion retailer SHEIN (I’ve probably pronounced that wrong) has said that it suffered a data breach from June to August this year involving the personal information of approximately 6.42 million customers.
According to a press statement, malware has now been removed from the company’s servers and back doors used by the attackers have been closed. SHEIN declines to provide any further details.
There’s no mention of the incident on the company’s homepage, but in an FAQ page on its website, the company said an investigation “confirmed that the perpetrators gained access to email addresses and encrypted password credentials of customers who registered on the company website”. Payment card information was not stored on the company’s systems, so was not affected.
SHEIN advises its account holders to change their passwords by clicking a link in an email notification or logging into the website. My advice is to do this via the website rather than clicking an email link – given the fact that 6.42 million email addresses are known to have been accessed, the likelihood of phishing campaigns aiming to direct worried users to malicious sites is very high.
One other thing to note: although SHEIN trots out the usual spiel that every breached organisation somehow feels obliged to parrot about the importance of customer security and the sophistication of the cyber attack, it’s notable that there isn’t a hint of apology to customers – just a note that the company deeply regrets the inconvenience the attack may have caused – which doesn’t look good to me. Regretting possible inconvenience is emphatically not the same as saying sorry.
The Financial Conduct Authority is considering fining Tesco Bank as much as £30 million for an “unprecedented” security incident in November 2016 in which 9,000 current account customers reportedly lost about £2.5 million to fraud – a number of victims that was subsequently revised to just 50. The bank refunded all of them within days.
According to the Financial Times, it’s “typical for the FCA and a company to negotiate an eventual penalty even in a case where the company under investigation accepts the regulator’s findings of fact” and “Tesco Bank is hoping the matter will be resolved with a fine of under £20m”.
Mark Kleinman of Sky News, who first reported on the negotiations, said: “The size of the fine originally proposed by the FCA is likely to send shockwaves through City boardrooms, given the relatively limited extent of the Tesco Bank episode.”
An analyst told Kleinman that, “based on the number of customers who were affected, the FCA’s initial proposal implied that Britain’s biggest banks would in future face fines of hundreds of millions, or even billions, of pounds if they were hit by a large-scale cyberattack.”
Personally, I find it hard to be sympathetic if banks are found to be negligent in their data security practices. The FT reported at the time of the incident that Tesco Bank “ignored warning signs that its vulnerable software was being targeted by cyber criminals for months before thousands of its customers had money stolen”.
The Times reports that the unit “will comprise about 2,000 digital warriors, with experts recruited from the military, security services and industry”, quadrupling “the number of personnel in offensive cyber-roles and marks a step change in the nation’s ability to disrupt and destroy computer networks and internet-connected devices”.
Although political wrangling over how the new unit will be funded is reportedly causing delays, a government spokesperson said: “The MoD and GCHQ have a long and proud history of working together, including on the National Offensive Cyber Programme. We are both committed to continuing to invest in this area, given the real threats the UK faces.”
Finally, the controversial ride-sharing company Uber has agreed to pay a $148 million settlement in connection with its attempt to cover up a data breach in 2016, in which some 57 million customers’ and drivers’ data – including names, email addresses, mobile phone numbers and driving licence details – was exposed.
Rather than notifying the appropriate authorities, as required by law, Uber covered up the breach and paid the criminal hackers responsible $100,000 in exchange for their silence.
According to a press release from California Attorney General Xavier Becerra and San Francisco District Attorney George Gascón:
“The nationwide settlement, which California helped to lead, calls for a $148 million penalty payment by Uber benefiting all 50 states and the District of Columbia. California will divide its $26 million share of the settlement between the California Attorney General’s Office and the San Francisco District Attorney’s Office. The settlement also includes additional terms to prevent future breaches and to reform Uber’s corporate culture. This settlement marks the first time the Attorney General has required a company to incorporate privacy-by-design into its products.”
Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.