How long is too long for responsible disclosure?

Carphone Warehouse disclosure practices put under our columnist's spotlight

Hacking

The fact that bank account details and other personal data of some 2.4 million Carphone Warehouse customers has been compromised is bad enough; that this news broke over the weekend is even worse. Try dealing with your bank or credit card provider on a Saturday or Sunday, in order to notify them of a potential compromise of your data and request they monitor accounts for unusual activity, and you'll know exactly what I mean.

Online banking may well be 24/7 but customer service and support simply does not function in the same way out here in the real world of outsourced call centres and departmental hoops that need jumping through.

Of course, it's not the fault of Carphone Warehouse that it discovered the breach over the weekend is it? Apart that in actual fact it discovered the breach on the Wednesday, that's some three days before it disclosed it to customers whose data may be at risk. My sources inform me that the 'sophisticated cyber-attack' which may also have led to the access of encrypted credit card data of 90,000 customers had most likely been ongoing for two weeks prior to that. So why did it take this huge enterprise so long to go public and give customers an opportunity to defend against the potential abuse of their personal and financial data? Indeed, is a three-day gap between discovery and disclosure responsible?

Carphone Warehouse customers certainly don't appear to think so, if the social media storm that has erupted over the weekend is anything to go by. I have to say that, given the lack of information regarding the attack that we have at this point, I tend to agree with the hoi polloi on this one.

Responsible disclosure is one of my pet peeves, as it really is a vital cog in the wheel of both good security practice and good post-breach reputational damage limitation. I appreciate fully that there is an argument to be had, and one I happen to agree with, that delays in disclosure are necessary when we are talking about vulnerabilities that could be exploited by the bad guys before a patch has been implemented.

In those circumstances, customer data is actually being protected by disclosure being delayed. As far as Carphone Warehouse is concerned, I believe the opposite is true: customers need to be informed of the likelihood of compromised personal and financial data as quickly as possible in order to mitigate potential fraud. As quickly as possible in these circumstances means, as far as I am concerned, zero-day disclosure.

Anything other than passing on the information as soon as you have confirmed what has, and has not, been compromised could be construed as negligent in my never humble opinion. I think it's also hugely damaging to your brand. In a crowded marketplace such as the mobile phone one, customers who feel they are being hard done by can, and will, express their anger by visiting one of the myriad other retailers.

If Carphone Warehouse has a breach response plan, one that includes a protocol for disclosure to customers, business partners and the media, then it needs ripping up and re-writing with immediate effect. To paraphrase the puppet Mr Punch "that's not way to do it." 

Featured Resources

Consumer choice and the payment experience

A software provider's guide to getting, growing, and keeping customers

Download now

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Download now

Business in the new economy landscape

How we coped with 2020 and looking ahead to a brighter 2021

Download now

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Download now

Recommended

Splunk debuts a new suite of cloud security solutions
Security

Splunk debuts a new suite of cloud security solutions

22 Jun 2021
Nvidia Jetson chips make IoT devices vulnerable to attack
vulnerability

Nvidia Jetson chips make IoT devices vulnerable to attack

22 Jun 2021
Cryptocurrency crimes have increased 12-fold since 2016
cryptocurrencies

Cryptocurrency crimes have increased 12-fold since 2016

22 Jun 2021
University Medical Center Mainz taps IBM to secure health care data
cloud security

University Medical Center Mainz taps IBM to secure health care data

21 Jun 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

16 Jun 2021
What is HTTP error 400 and how do you fix it?
Network & Internet

What is HTTP error 400 and how do you fix it?

16 Jun 2021
Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021