How long is too long for responsible disclosure?

Carphone Warehouse disclosure practices put under our columnist's spotlight

Hacking

The fact that bank account details and other personal data of some 2.4 million Carphone Warehouse customers has been compromised is bad enough; that this news broke over the weekend is even worse. Try dealing with your bank or credit card provider on a Saturday or Sunday, in order to notify them of a potential compromise of your data and request they monitor accounts for unusual activity, and you'll know exactly what I mean.

Online banking may well be 24/7 but customer service and support simply does not function in the same way out here in the real world of outsourced call centres and departmental hoops that need jumping through.

Of course, it's not the fault of Carphone Warehouse that it discovered the breach over the weekend is it? Apart that in actual fact it discovered the breach on the Wednesday, that's some three days before it disclosed it to customers whose data may be at risk. My sources inform me that the 'sophisticated cyber-attack' which may also have led to the access of encrypted credit card data of 90,000 customers had most likely been ongoing for two weeks prior to that. So why did it take this huge enterprise so long to go public and give customers an opportunity to defend against the potential abuse of their personal and financial data? Indeed, is a three-day gap between discovery and disclosure responsible?

Carphone Warehouse customers certainly don't appear to think so, if the social media storm that has erupted over the weekend is anything to go by. I have to say that, given the lack of information regarding the attack that we have at this point, I tend to agree with the hoi polloi on this one.

Responsible disclosure is one of my pet peeves, as it really is a vital cog in the wheel of both good security practice and good post-breach reputational damage limitation. I appreciate fully that there is an argument to be had, and one I happen to agree with, that delays in disclosure are necessary when we are talking about vulnerabilities that could be exploited by the bad guys before a patch has been implemented.

In those circumstances, customer data is actually being protected by disclosure being delayed. As far as Carphone Warehouse is concerned, I believe the opposite is true: customers need to be informed of the likelihood of compromised personal and financial data as quickly as possible in order to mitigate potential fraud. As quickly as possible in these circumstances means, as far as I am concerned, zero-day disclosure.

Anything other than passing on the information as soon as you have confirmed what has, and has not, been compromised could be construed as negligent in my never humble opinion. I think it's also hugely damaging to your brand. In a crowded marketplace such as the mobile phone one, customers who feel they are being hard done by can, and will, express their anger by visiting one of the myriad other retailers.

If Carphone Warehouse has a breach response plan, one that includes a protocol for disclosure to customers, business partners and the media, then it needs ripping up and re-writing with immediate effect. To paraphrase the puppet Mr Punch "that's not way to do it." 

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Gumtree site code made personal data of users and sellers publicly accessible
data protection

Gumtree site code made personal data of users and sellers publicly accessible

16 Dec 2021
Pizza chain exposed 100,000 employees' Social Security numbers
data breaches

Pizza chain exposed 100,000 employees' Social Security numbers

19 Nov 2021
83% of critical infrastructure companies have experienced breaches in the last three years
cyber security

83% of critical infrastructure companies have experienced breaches in the last three years

11 Nov 2021
Identity Automation launches credential breach monitoring service
phishing

Identity Automation launches credential breach monitoring service

5 Oct 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022