How long is too long for responsible disclosure?

Carphone Warehouse disclosure practices put under our columnist's spotlight

Hacking

The fact that bank account details and other personal data of some 2.4 million Carphone Warehouse customers has been compromised is bad enough; that this news broke over the weekend is even worse. Try dealing with your bank or credit card provider on a Saturday or Sunday, in order to notify them of a potential compromise of your data and request they monitor accounts for unusual activity, and you'll know exactly what I mean.

Online banking may well be 24/7 but customer service and support simply does not function in the same way out here in the real world of outsourced call centres and departmental hoops that need jumping through.

Of course, it's not the fault of Carphone Warehouse that it discovered the breach over the weekend is it? Apart that in actual fact it discovered the breach on the Wednesday, that's some three days before it disclosed it to customers whose data may be at risk. My sources inform me that the 'sophisticated cyber-attack' which may also have led to the access of encrypted credit card data of 90,000 customers had most likely been ongoing for two weeks prior to that. So why did it take this huge enterprise so long to go public and give customers an opportunity to defend against the potential abuse of their personal and financial data? Indeed, is a three-day gap between discovery and disclosure responsible?

Carphone Warehouse customers certainly don't appear to think so, if the social media storm that has erupted over the weekend is anything to go by. I have to say that, given the lack of information regarding the attack that we have at this point, I tend to agree with the hoi polloi on this one.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Responsible disclosure is one of my pet peeves, as it really is a vital cog in the wheel of both good security practice and good post-breach reputational damage limitation. I appreciate fully that there is an argument to be had, and one I happen to agree with, that delays in disclosure are necessary when we are talking about vulnerabilities that could be exploited by the bad guys before a patch has been implemented.

In those circumstances, customer data is actually being protected by disclosure being delayed. As far as Carphone Warehouse is concerned, I believe the opposite is true: customers need to be informed of the likelihood of compromised personal and financial data as quickly as possible in order to mitigate potential fraud. As quickly as possible in these circumstances means, as far as I am concerned, zero-day disclosure.

Anything other than passing on the information as soon as you have confirmed what has, and has not, been compromised could be construed as negligent in my never humble opinion. I think it's also hugely damaging to your brand. In a crowded marketplace such as the mobile phone one, customers who feel they are being hard done by can, and will, express their anger by visiting one of the myriad other retailers.

If Carphone Warehouse has a breach response plan, one that includes a protocol for disclosure to customers, business partners and the media, then it needs ripping up and re-writing with immediate effect. To paraphrase the puppet Mr Punch "that's not way to do it." 

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/security/ddos/28039/how-to-protect-against-a-ddos-attack
Security

How to protect against a DDoS attack

25 Oct 2019
Visit/data-breaches/29418/equifax-data-breach-cost-14-billion-so-far/page/0/1
data breaches

Ex-Equifax CIO to serve four months for insider trading

2 Jul 2019

Most Popular

Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020