The phrase ‘what you don’t know, won’t hurt you’ may be true in some walks of life, but not when it comes to our sensitive data. We entrust all sorts of valuable information to businesses – such as contact details, passwords and financial data – all of which are golden nuggets to a cybercriminal. So if this information is in any way jeopardised, we need to know sooner rather than later, to enable us to act quickly and put the right measures in place to minimise the damage. Time is definitely of the essence when it comes to a data breach.
The recent cyber-attack on Carphone Warehouse highlights the importance of this and draws attention to why online security is increasingly vital for both organisations and consumers. Companies holding consumer data have a responsibility to keep it safe, and make sure it doesn’t fall into the wrong hands. But because online data breaches are now a fact of life, consumers need to be sure that they aren’t leaving their data exposed.
The fact that the personal details of 2.4million people were compromised in this particular attack will undoubtedly be a huge cause of concern for customers; and it’s hardly surprising that many have publicly expressed their dismay at the fact that it took Carphone Warehouse three days from the time they uncovered the breach, to communicate it to customers. Presumably it took the company time to quantify the extent of the breach and assess its impact before taking steps to notify customers.
Carphone Warehouse has said that it has contacted all those affected. However, I would recommend – in the case of any such data breach – that all customers take the opportunity to change their passwords – including changing them on any other sites where they have used the same password (it’s never a good idea to re-use the same password across multiple accounts!). This particular attack should act as an eye-opener to consumers to take extra care of the passwords they use online.
Worryingly, many people use the same password and personal details across multiple online accounts, so if their details have been compromised by one attack they could find other online accounts suffer too. Businesses can do their part by hashing and salting passwords (methods that let them verify a password without storing the password itself, so that the password isn’t exposed even if attackers are able to gain access to the database holding the data) and encrypting other confidential information. But it is also up to individuals to ensure that their passwords are complex, that they do not reuse them on different sites and that they change them regularly. A password is the frontline of defence, so it needs to be sufficiently strong: an ideal password is at least 15 characters long and consists of a mixture of letters, numbers and symbols from the entire keyboard.
When a breach takes place, our understandable reaction is to find out if we have been impacted. However, although we may think the worst is over, it is important that we are careful about what we do directly after the breach. For example, we should be wary about any e-mails we receive. The hackers behind an attack may already have been able to formulate phishing e-mails, so we should think carefully about whether an e-mail they receive is legitimate. As a general rule, I would caution against clicking links in e-mails – it’s always better to type the web site address manually, to avoid the risk of being redirected to a phishing site. Finally, we should keep a close check on bank accounts and report any suspicious activity to our bank and to Action Fraud.
This attack isn’t the first to expose this level of sensitive data – and it certainly won’t be the last. If anything, this should act as a catalyst to both businesses and consumers to reflect on how they are handling their data. Prevention is always better than cure: and simple measures such as secure, unique passwords can be the difference between securing our online identity and a cybercriminal accessing our sensitive data.