
Carphone Warehouse fined after failures put customer and employee data at risk - robin_reala
https://ico.org.uk/action-weve-taken/enforcement/the-carphone-warehouse-ltd/
======
memsom
I once got my daughter a phone from CW. As part of the process I needed to
give them my mobile number - it was a show stopping requirement. About 3
months later I was getting spammed by an autodialler 3 or 4 times a day. The
dialler never connected when answered. Calls were always different numbers,
never blocked, but always UK based mobile phones. I phoned back and discovered
that the recorded message I was put through was for a Telemarketer. But there
was no way to stop them. I was already registered with the telephone
preference service (TPS) and so should not be getting unsolicited spam
marketing calls.

One day, out of the blue I answered the number and there was someone on the
other end of the line. I then went through a difficult conversation where I
attempted to get out of them why they were phoning me. I found out, (1) the
company was called something ridiculous like the "phone delivery depot for
your provider" and they were trying to sell mobile phone contracts by using
that name when answering calls "Hi this is the 'hone delivery depot for your
provider'", I kid you not. He even claimed to be from my mobile provider at
one point (no he wasn't, I'd already checked that when I attempted to get them
to block the calls.) (2) the guy on the other end of the phone knew quite a
bit about me, so had access to data from a third party. (3) it was a total
phishing exercise and they were trying to get fees for reselling the customers
new fixed term contracts to them after they had become rolling monthlies.

After laying in to him I finally got the route of the data. "We get a lot of
our leads from Carphone Warehouse." BING!! The moral of this story is, always
read the fine print. I probably in haste missed a tick box or ticked the wrong
box - or the girl serving me "helpfully" did it for me on their computer
system without asking. Carphone Warehouse are a scummy company, with bad
practices, and best advice is to avoid at all costs!

~~~
orf
Put yourself on the do-no-call list (if you're in the UK) and never receive a
spam call again. And on the very very rare occasion you do, just say "I'm on
the do-not-call list by the way" and see how fast they hang up.

[http://www.tpsonline.org.uk/tps/index.html](http://www.tpsonline.org.uk/tps/index.html)

Takes 5 minutes.

~~~
dingaling
TPS only applies to 'unsolicited' marketing calls

If you've inadvertently agreed to marketing by overlooking some opt-out
section of a contract then that counts as consent and TPS means nothing:

[https://ico.org.uk/for-organisations/guide-to-
pecr/electroni...](https://ico.org.uk/for-organisations/guide-to-
pecr/electronic-and-telephone-marketing/#consent)

~~~
memsom
The issue is - if you don't understand why the marketers are calling you, it
can seem like an unsolicited call. As I mentioned, they never answered the
calls till the very last one and that took a good 2 - 3 months. I think they
were using an autodialler with PAYG sim cards and refilling it every couple of
weeks as I blocked each caller.

The problem was, I needed to answer my phone as I was working away from home
at the time. Any of the calls could have been a valid call about my real life.
I often got calls from people not in my contact list.. from random clients, my
kids' schools, data centres or related to work.

------
graystevens
Section 13 onwards makes for a great read as to how this all went down. The
attacker used a common security scanning tool Nikto, which would have told
them that WordPress and its plugins were horrifically out of date. Any tool
could have found this (WPScan, Nessus.. a manual check through HTML source),
but Nikto was likely identified due to some common defaults such as the User-
Agent within the requests etc.

Once they identified the vulnerability to exploit, it seems they used genuine
credentials to then place webshells on the server which gave them persistence
- a low-level reverse shell if you will, allowing them to traverse the file
system, execute commands as if they had genuine access. Next up, a quick grep
for plaintext credentials that they can then pivot with. There are still
questions around how those credentials were obtained, but they'd don't
specifically call them out as being default.

The report then jumps to the person accessing databases (including payment
card info.. whoops) - the question here is why did a Wordpress instance have
access to such data? I can't imagine it would have needed it, so I suspect
that they either had one huge DB server containing the backend for this
WordPress instance, plus their customer data & payment info databases/tables.
Or, the malicious actor traversed the internal network, using the WordPress as
a pivot point.

Last point worth calling out, is that they are unsure how much of the data was
actually exfiltrated - "[...] the transaction/payment card information
referred to above was located and accessed: it cannot be ascertained whether
or not some or all of that information was indeed exported, but that is a very
realistic possibility." This is a common problem with breaches, and an area
what active monitoring can help. By planting unique details/tokens into the
database (users, payment information etc.), you can start scanning for them on
the clear and dark web. As and when they appear, you can confirm if the data
was exfiltrated (and with many honeypots, pinpoint time of the breach). This
is one of the many reasons I put BreachInsider[0] together.

[0][https://breachinsider.com](https://breachinsider.com)

~~~
walshemj
possibly the WordPress install did not use a dedicated db user/password - its
possible that the root user and password was used.

~~~
graystevens
Good point, the report calls out that the root password for 40+ servers was
the same, and that a large number of employees knew or used it. Seems sensible
to transfer that same mentality across to other sensitive accounts.

~~~
walshemj
Ouch having worked at BT our internal security would have had afield day with
that - but Mobile telecoms where always considered much weaker technicaly.

------
gaius
Peanuts. The GDPR strategy of fining a percentage of revenue is the only way
to make companies take this seriously.

~~~
DanBC
I'd be interested to know which company thinks a £400,000 needless expense
isn't a problem.

I jump through hoops to get a £7 train ticket paid.

~~~
pbhjpbhj
The company is doing £10B in sales, do you think they're going to restructure
their IT to be more protective of user data because they got a fine that's
0.1% of their £500M gross profit?

If they let a £10 train ticket slide for each employee it would be more than
this fine.

------
weego
A thousandth of the top-end of their expected profits for 17-18. That'll teach
them.

~~~
jstanley
It's not supposed to harm them, it's supposed to make it economically sensible
for them (and companies like them) to employ one or two people with the sole
responsibility of making sure stuff like this doesn't happen.

~~~
martinald
I don't agree, the ICO is a total joke and hopefully GDPR will allow them/some
other body to give proper fines.

There have been cases where spam companies have done 100m SMS/phone calls and
got a £100K fine (which they can just prepack away). It's probably a tenth of
their telecom cost per call. Just a cost of doing business.

~~~
jfindley
That's a different issue, though. In your example, the company is actively
doing something malicious, and accepting the fine for getting caught as part
of their costs. Other than the threat of a really huge fine (or worse
sanctions), they're unlikely to stop.

In this case, it's a company that's not actively trying to be malicious, but
rather due to [cost-saving/incompetence] has underfunded IT security to an
excessive degree. For them, and others like them, to change their ways it's a
lot less self evident that the fine needs to be huge. The fine (and
accompanying reputational damage) just needs to be enough to make them, and
similar companies, take IT security seriously.

Very different situations, really.

------
mabbo
The short version is that Carphone Warehouse had a very outdated copy of
Wordpress, a database with no encryption of passwords, a generally sloppy
infrastructure security-wise, and you can pretty much guess the rest of the
story.

While I agree with many others that this is a small fee all things considered,
it does put other companies on notice: secure your shit or you'll be held
liable (to some degree at least).

~~~
pbhjpbhj
They shared passwords - how does that happen in a tech company? UK ICO needs
more teeth, these sorts of failings should have punishments so severe that the
company can't afford to pay dividends or bonuses.

------
LukeOT
Put that into context, fine me £3 for doing something bad...

------
zero_k
That's a joke. It would take them a lot more to fix than 400k. Just the
pentests + risk assessments would cost more and they would also need to
educate their personnel (developers, testers, DevOps, managers), and implement
new policies and procedures, SDLC etc. The price of all of that would be well
over a million.

400k is not even a slap on the wrist. I'm disappointed.

------
Silhouette
I'm in two minds about the actual penalty notice given here.

On the one hand, it's good to see an organisation receiving a real financial
penalty after a serious breach, and apparently there were many serious
failings in security on the part of Carphone Warehouse.

On the other hand, reading the Commissioner's views in the notice, there is a
disturbing amount of commentary about measures not in place at Carphone
Warehouse that asserts apparently without evidence that such measures are
widely accepted security standards, either acknowledges that these measures
may not have made any difference to this kind of attack anyway or implies
again apparently without evidence that they would, and then considers the lack
of each such measure to be a contravention in its own right.

I'm not sure this is a good thing, because if we took the principles indicated
by those views and applied them more generally, I'm not sure many if any
organisations would meet the required standards here.

For example, how many organisations that use WordPress to run their web sites
have measures in place to detect unauthorised use of legitimately issued
WordPress credentials? What would that even look like?

How many small organisations have a dedicated WAF box installed, or the money
to run regular independent pentesting or hire suitably qualified in-house
staff to do it? (Obviously we're not talking about a small organisation in the
case at hand, so maybe the ICO would apply a more liberal standard in other
situations.)

There is a reference to transaction data being encrypted but the encryption
key being present in plain text in the application source code. Well, OK, but
that key has to be present _somewhere_ accessible on the system or you can't
access the data at all even for legitimate purposes. If you've got an attacker
who apparently already has access to both your database and your runtime
system, I'm not sure what alternative they would have preferred to see that
would have mitigated the damage materially here. Does it really matter whether
the attacker looks at source code or somewhere else like environment strings,
if the end result is the same either way?

Compared to obviously terrible practices like not updating externally
accessible software for many years so the live version has multiple known
vulnerabilities or storing full credit card data including things like CVCs
for all historical transactions, some of the issues raised here seem both much
more dangerous and much more practically mitigable than others.

~~~
Angostura
> For example, how many organisations that use WordPress to run their web
> sites have measures in place to detect unauthorised use of legitimately
> issued WordPress credentials? What would that even look like?

Install the free Wordfence plugin and you'll get an e-mail whenever someone
logs in using an admin account.

~~~
pbhjpbhj
Or you can block admin use from unauthorised IP addresses (or whitelist if you
own the IP).

I limit SSH access to my ISPs net blocks, that's just a hobbyists personal
computer on which I have no legal obligation to protect the data.

------
rcgs
What do people make of ICO's recommendation for production servers to have
antivirus software installed? Is this a standard approach to Windows? Is it
generally accepted?

Please excuse my ignorance.

------
zubairq
Carphone Warehouse, a total scam organisation, just like Trustpilot. I wrote
about them here:

[https://www.linkedin.com/pulse/day-31-write-every-
carphone-w...](https://www.linkedin.com/pulse/day-31-write-every-carphone-
warehouse-sucks-why-win-zubair-quraishi/)

------
chris__butters
All of this data was leaked through a WordPress plugin uploaded to an old
installation; WordPress is one of the easiest platforms to secure (IMO) so
can't understand why organisations can't take the short amount of time needed
to secure it.

------
JohnnyConatus
Stewart Lee on the values of Carphone Warehouse:
[https://www.youtube.com/watch?v=W2firijxQOo](https://www.youtube.com/watch?v=W2firijxQOo)

------
harel
Wordpress is like a gift that keeps on giving for hackers and blackhats. All
it takes is missing one vital upgrade or using an outdated plugin.

~~~
Angostura
Do you have a suggestion for a platform where missing a vital upgrade won't
introduce security holes? I'd love to know what it is.

~~~
harel
I have a feeling that if you tally up all the times a server was hacked,
Wordpress will be the reason for the bulk of them. Yes many platforms when not
kept upgraded will have holes, but nothing in the magnitude of the WordPress
universe.

