In the summer of 2015, Carphone Warehouse suffered a major data breach, resulting in the records of many of its customers being obtained by third parties. This information was significant in that it included all the individuals’ personal details (name, address, date of birth etc) as well as their financial information (credit card details – including the numbers, the expiry date and the “secure 3-digit number on the back”). In short, every person’s doomsday scenario and every company’s worst nightmare.
As a result of this data breach, the Information Commissioner’s Office (ICO) fined Carphone Warehouse £400,000. Now, whilst that is a lot of money, the limit was set under existing regulations. However, from 25 May 2018 (whenGDPR regulationscame into force) that fine could have been significantly higher (up to 20m Euros, or 4% of global turnover – whichever is higher).
Learning lessons from a data breach in the world of IT security – is it relevant to HR or recruitment?
Well, as with most learning, we all take lessons from history. In this instance, the ICO has issued their report on the Carphone Warehouse data breach, so we can look to that to see what potentially went wrong. In that sense the ICO has highlighted a number of key failings:
The point of vulnerability to the Carphone Warehouse systems was, in fact, a WordPress site! Now, I too am no developer – my background is 100% HR – but even I know that WordPress is a system used to develop your typical web site. That is absolutely fine and I am not suggesting that we all drop using WordPress – that would be a knee-jerk reaction of ludicrous proportions. However, what is staggering is that Carphone Warehouse seemingly stored their WordPress systems on the same network as their core secure data. In short, if you managed to open the flimsy, unlocked door at the front of the house, you could then walk through every other room without challenge!
This analogy is extended further. The ICO revealed that the encryption codes (required to access the rest of the servers) were stored in the system in plain text. Once hackers had entered the front door, they were able to find all the keys they needed to roam freely.
It took 15 days before anyone at Carphone Warehouse noticed there was a problem and did anything about it. Surely some closer monitoring of the system could have alerted them?
But that leads us onto some other shortcomings…
The user login credentials were hugely inadequate, with between 30-40 people sharing the same access passwords. These passwords gave access to the core operating system and there was no control, monitoring or recording of who accessed it and when.
Important elements of the software were out of date – not by a few months, but by the best part of a decade.
The ICO also highlighted that the approach to ‘patch management was seriously inadequate’. This meant that not only were the core systems out of date but even the more recent ones weren’t being maintained and therefore left with increased vulnerability.
No routine penetration testing took place and no scanning for vulnerabilities. Penetration testing (or pent testing as it tends to be referred to), is designed to test a system’s full defences against a typical cyber-attack. A good pent test (carried out by a reputable third party) could take 1-3 weeks and will highlight areas for you to address as the testing progresses. However, I have to say that our own experience of working with many corporate clients is that they often insist on carrying out their own tests – and do so with the most cursory of pent test solutions that take less than half a day to complete. Essentially, they knock on the front door and try the handle – if it’s locked then you are told all is OK. However, you may have left all the side doors and windows wide open, but such a test does not reveal this.
There was no Web Application Firewall. To have no firewall should be seen as reckless. Essentially a firewall is called that because, in a world of more physical security (buildings), you build firewalls to prevent the spread of fire. In the world of IT security, you deploy firewalls to protect a system against being widely compromised if it is breached. Not to have any firewall on a public facing site “exposed the system and its contents to significant risk” – said the ICO.
None of the servers had anti-virus technology installed. I was speechless at reading this. I thought this would be a natural given, but therein lies a danger of assuming anything.
The system itself contained a huge amount of historical data (personal and financial) that there was no valid reason for keeping – apparently, Carphone Warehouse wasn’t aware of this. The ICO judged that this lack of awareness simply compounded the fact that they paid little regard to their own security. This was one of the reasons why the fine was so high.
“All that glitters is not gold” – the importance of checking IT security and robustness
So, the lessons for IT security to reduce the risk of data breaches is clearly set out in the report. However, what isn’t as apparent is what lessons there are for HR and resourcing. But what it should highlight is the importance that this issue should be given in assessing a provider.
The old adage that “all that glitters is not gold” ought to be borne in mind when reviewing options. I am not saying that the look of a recruitment software solution should be ignored when reviewing options – but certainly, the security and robustness of the system, the company and its processes should all be given greater weighting.
So perhaps when you are considering your next investment in HR software, or in a recruitment system (ATS/applicant tracking system), more consideration could be given to the lessons learnt so painfully by Carphone Warehouse. Maybe a little more scrutiny of the security compliance is not always a bad thing.
If you have any questions on how robust an ATS should and could be, please get in touch