If you’re prone to using the same password across multiple websites, leaving accounts open without signing out, or not protecting yourself with good internet security software,
you’re not alone.
Of course these are fundamental security errors and it’s often only when we’ve become the victim of an ID hack, can’t use our computer because it’s crawling with malware or have just fallen for a phishing mail, that we arise from our soporific digital condition.
But you’d expect large companies with vast and sweeping IT systems from front-end customer service technology and mobile app purchasing systems to back-office accounts, supply chain and warehousing systems, to have a good grasp on cyber security.
Alas, we know this isn’t true and the latest corporate miscreant for awful security blunders is UK DIY retailer B&Q.
- A security researcher doing his thing trawling the internet out of curiosity and a professional sense of doing the right thing discovered an unprotected B&Q database.
- It contained an estimated 70,000 records of shoplifting incidents including offenders and a report on each incident.
- The data also included possible criminal activity, including in some cases people’s names and vehicle details.
Of course retailers have to keep on top of shoplifting. It can result in significant losses, around £500 million a year according to the British Retail Consortium.
But to leave a database containing the information of those allegedly engaged in shoplifting is also near criminal. It contravenes a number of regulations including the General Data Protection Regulations.
It could also have serious repercussions for those named on the database if it fell into the hands of a hacker.
Another alarming aspect is that it took B&Q two weeks from the point it was notified about the vulnerability to actually addressing it.
- The security researcher contacted B&Q as soon as he became aware of the implications.
- Four days later the data was still exposed, the vulnerability had not been addressed.
- After a week he had communicated with three different support staff, but still nothing had been done.
- He even tried messaging B&Q CEO Christian Mazauric on LinkedIn. According to the researcher the message was read the message but never replied to.
- The server that hosted the database was only taken offline almost two weeks after B&Q was informed about the problem.
What does this tell us?
We could be charitable and say that B&Q’s internal processes are a bit slow and lumpy hence the two week delay in responding to and closing the vulnerability down.
No doubt there is some truth in this, in that it probably took time to get the message to the right people.
However, the larger picture and one that affects lots of organisations, is that cyber security across all company operations is simply not given the attention it deserves.
The inevitable conclusion is that we, as ordinary users, need to safeguard our own sensitive information
because many companies that hold our data are clearly not doing so.