How long is too long for responsible disclosure?
Carphone Warehouse disclosure practices put under our columnist's spotlight
The fact that bank account details and other personal data of some 2.4 million Carphone Warehouse customers has been compromised is bad enough; that this news broke over the weekend is even worse. Try dealing with your bank or credit card provider on a Saturday or Sunday, in order to notify them of a potential compromise of your data and request they monitor accounts for unusual activity, and you'll know exactly what I mean.
Online banking may well be 24/7 but customer service and support simply does not function in the same way out here in the real world of outsourced call centres and departmental hoops that need jumping through.
Of course, it's not the fault of Carphone Warehouse that it discovered the breach over the weekend is it? Apart that in actual fact it discovered the breach on the Wednesday, that's some three days before it disclosed it to customers whose data may be at risk. My sources inform me that the 'sophisticated cyber-attack' which may also have led to the access of encrypted credit card data of 90,000 customers had most likely been ongoing for two weeks prior to that. So why did it take this huge enterprise so long to go public and give customers an opportunity to defend against the potential abuse of their personal and financial data? Indeed, is a three-day gap between discovery and disclosure responsible?
Carphone Warehouse customers certainly don't appear to think so, if the social media storm that has erupted over the weekend is anything to go by. I have to say that, given the lack of information regarding the attack that we have at this point, I tend to agree with the hoi polloi on this one.
Responsible disclosure is one of my pet peeves, as it really is a vital cog in the wheel of both good security practice and good post-breach reputational damage limitation. I appreciate fully that there is an argument to be had, and one I happen to agree with, that delays in disclosure are necessary when we are talking about vulnerabilities that could be exploited by the bad guys before a patch has been implemented.
In those circumstances, customer data is actually being protected by disclosure being delayed. As far as Carphone Warehouse is concerned, I believe the opposite is true: customers need to be informed of the likelihood of compromised personal and financial data as quickly as possible in order to mitigate potential fraud. As quickly as possible in these circumstances means, as far as I am concerned, zero-day disclosure.
Anything other than passing on the information as soon as you have confirmed what has, and has not, been compromised could be construed as negligent in my never humble opinion. I think it's also hugely damaging to your brand. In a crowded marketplace such as the mobile phone one, customers who feel they are being hard done by can, and will, express their anger by visiting one of the myriad other retailers.
If Carphone Warehouse has a breach response plan, one that includes a protocol for disclosure to customers, business partners and the media, then it needs ripping up and re-writing with immediate effect. To paraphrase the puppet Mr Punch "that's not way to do it."