Carphones, Ashley Madison and the New Cyber Reality

Not that anyone expected otherwise, but this whole Year of the Data Breach business is turning out to be a global phenomenon, to now turn to the hack of British mobile phone retailer Carphone Warehouse.  Personally, I don’t like the distraction of prolonged conversation while driving, free hands or not; but in its mission to become a leading entity in the Internet of Things, CW, both directly and through its subsidiary companies, has amassed millions of customers.  2.4 million of these were affected by the cyber attack that was announced last week, although the infiltration itself is believed to have occurred over the two weeks prior to that.  Bank details and other personal information are believed to have been accessed.

Fortunately, this one was discovered and contained fairly quickly, it seems.  It took them a few days to assess what information was vulnerable, but CW soon emailed their customers and advised them to notify their banks and credit card companies, and change their passwords (although, research by Experian shows that over 50% of people who get notified of compromised account information don’t even change their passwords, so who knows what will happen.).  And so far, according to investigations by the U.K. Information Commissioner’s Office and the Metropolitan Police Cyber Crime Unit, no evidence of fraud has yet been found.  Good news for consumers, and also for CW, as Ken Odeluga, a senior market analyst at www.cityindex.co.uk, told SC Magazine that “The impact on CW shares will probably be negligible and the financial fallout I suspect will be zero.”

While Odeluga also claims that breaches such as these are still relatively rare, the fact is they’ve become a common enough occurrence that you hear about a new one almost on a weekly basis.  It’s even gotten to the point where the labor-supported National Consumers League has launched a data security project, one that calls on the federal government to, among other proposals, finally get around to creating national breach notification standard, along the lines of California’s.  Good luck, NCL.  We’ve been barking up that tree for a while now.  Meanwhile, it’s not like consumers are completely helpless, and NCL has also advised that “consumers need to be proactive about protecting their own data and calling on policymakers for improvements,” suggesting in their report what actions people can take as these incidents become more regular.

Oh, and speaking of our new cyber reality, the hackers over at Impact Team have proven themselves to be obviously jilted lovers of their word, at last releasing the Ashley Madison data dump they promised last month if the site were not shut down.  Among the information: names, credit card transactions and passwords that were actually encrypted with the bcrypt algorithm for PHP.  Avid Life Media, who owns the site, ignored the warning, and now, well, the deluge.  For those millions whose names are in the dump (over 90% of whom, according to the hackers’ statement, are actually male), public humiliation could be the least of their impending troubles.  And while a name like Tony Blair might be found on the list (along with 10,000 US government officials), it’s worth noting that AM doesn’t require email verification, meaning that anyone could use a legitimate address as a prank.

Condemning the release, ALM highlights the main point: “The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society.”  I don’t know about you, but I think the only judge and jury needed for companies who don’t protect your information are the consumers themselves.  Or, you know, actual juries.

By: Jonathan Weicher