How long is too long for responsible disclosure?

Carphone Warehouse disclosure practices put under our columnist's spotlight


The fact that bank account details and other personal data of some 2.4 million Carphone Warehouse customers has been compromised is bad enough; that this news broke over the weekend is even worse. Try dealing with your bank or credit card provider on a Saturday or Sunday, in order to notify them of a potential compromise of your data and request they monitor accounts for unusual activity, and you'll know exactly what I mean.

Advertisement - Article continues below

Online banking may well be 24/7 but customer service and support simply does not function in the same way out here in the real world of outsourced call centres and departmental hoops that need jumping through.

Of course, it's not the fault of Carphone Warehouse that it discovered the breach over the weekend is it? Apart that in actual fact it discovered the breach on the Wednesday, that's some three days before it disclosed it to customers whose data may be at risk. My sources inform me that the 'sophisticated cyber-attack' which may also have led to the access of encrypted credit card data of 90,000 customers had most likely been ongoing for two weeks prior to that. So why did it take this huge enterprise so long to go public and give customers an opportunity to defend against the potential abuse of their personal and financial data? Indeed, is a three-day gap between discovery and disclosure responsible?

Advertisement - Article continues below
Advertisement - Article continues below

Carphone Warehouse customers certainly don't appear to think so, if the social media storm that has erupted over the weekend is anything to go by. I have to say that, given the lack of information regarding the attack that we have at this point, I tend to agree with the hoi polloi on this one.

Responsible disclosure is one of my pet peeves, as it really is a vital cog in the wheel of both good security practice and good post-breach reputational damage limitation. I appreciate fully that there is an argument to be had, and one I happen to agree with, that delays in disclosure are necessary when we are talking about vulnerabilities that could be exploited by the bad guys before a patch has been implemented.

In those circumstances, customer data is actually being protected by disclosure being delayed. As far as Carphone Warehouse is concerned, I believe the opposite is true: customers need to be informed of the likelihood of compromised personal and financial data as quickly as possible in order to mitigate potential fraud. As quickly as possible in these circumstances means, as far as I am concerned, zero-day disclosure.

Advertisement - Article continues below

Anything other than passing on the information as soon as you have confirmed what has, and has not, been compromised could be construed as negligent in my never humble opinion. I think it's also hugely damaging to your brand. In a crowded marketplace such as the mobile phone one, customers who feel they are being hard done by can, and will, express their anger by visiting one of the myriad other retailers.

If Carphone Warehouse has a breach response plan, one that includes a protocol for disclosure to customers, business partners and the media, then it needs ripping up and re-writing with immediate effect. To paraphrase the puppet Mr Punch "that's not way to do it." 




HP Support Assistant flaws leave Windows devices open to attack

6 Apr 2020
cyber security

Safari bug let hackers access cameras on iPhones and Macs

6 Apr 2020
video conferencing

Zoom CEO admits company "moved too fast" as privacy issues mount

6 Apr 2020
internet security

Mozilla fixes two Firefox zero-days being actively exploited

6 Apr 2020

Most Popular

application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020

Google releases location data to show effectiveness of coronavirus lockdowns

3 Apr 2020