Foration Blog

4 companies that paid a heavy price for a laissez-faire approach to IT security

Paul Weeden

Written by Paul Weeden

Founder & Managing Director at Foration. IT and technology fixer.

[fa icon="clock-o"] 11 January 2017 [fa icon="user"] Paul Weeden [fa icon="folder-open'] employee misconduct, IT security, moonpig, kiddicare, nationwide, morrisons

laissez-faire-it-security.jpgFederation of Small Businesses (FSB) data suggests that two thirds of small firms have been a victim of cyber crime in the last two years. The message is clear: UK business owners need to resist the temptation of assuming that an IT security breach is something that happens to ‘other people’.

Yet while smaller organisations often bear the brunt of cyber crime, it’s the crimes that affect the bigger players that tend to grab the headlines. So what can these high profile data breaches teach the rest of us? We take a look…

Kiddicare

What happened?

In 2015, the children’s product retailer was in the process of testing a new website. Subsequently, it came to light that customers were receiving suspicious SMS messages asking them to take an online survey. While preliminary reviews of the system apparently revealed no evidence of a breach, subsequent investigations revealed that the details of almost 800,000 customers had been compromised - resulting in phishing attacks directed to those customers.

What can be learned?

As Infosecurity Magazine reminded us in the aftermath of the breach, things are “bound to go wrong” when websites are undergoing development. Kiddicare’s mistakes during the testing process were twofold: they used real customer data (as opposed to dummy data) during the testing process - and furthermore, that data wasn’t encrypted. When undergoing testing processes, firms must ensure that customer data isn’t exposed.

Moonpig

What happened?

As far back as August 2013, researcher and IT security expert, Paul Price had identified a vulnerability in the card retailer’s software. Price discovered that the company’s API failed to provide adequate protection for individuals’ usernames and passwords, making it incredibly easy for customers to access other users’ accounts - including access to sensitive information.

Price warned the company - but it took them a staggering 18 months to respond.

What can be learned?

The loss to the company was reputational rather than financial in nature - but this in itself can be a severe blow. It’s a reminder to all businesses of the need to act promptly once a breach has been made known.

Nationwide

What happened?

The fine of £980,000 dished out to the Nationwide Building Society back in 2006 remains the single largest regulatory penalty imposed on a UK organisation in relation to a data breach. Information extracted from a laptop stolen from a company employee put at risk the personal data of 11 million savers.

What can be learned?

A combination of ‘bring your own devices’ and increasingly mobile workforces mean that rarely is it the case that all sensitive business data is locked down in the office. Businesses need to look closely at strict policies on what can - and cannot be accessed remotely, mobile device management, encryption and containerisation to ensure data is adequately shielded.

Morrison’s

What happened?

This wasn’t a mere mistake; it was a deliberate attack by a rogue insider. An employee obtained and published payroll data for a large chunk of the company’s 100,000 staff. It has cost the supermarket in the region of £2 million to rectify and thousands of employees are taking legal action against the company.

What can be learned?

Businesses should look carefully at who has access to what information. Open access leaves you vulnerable - no matter how tight-knit and trustworthy your team may seem.

Letting your guard down when carrying out platform updates and infrasturcture renewal, failing to act promptly, failing to encrypt and protect your data: these big breaches remind us that all of this can cost you dearly.

Email Security Diagnostic from Foration

Paul Weeden

Written by Paul Weeden

Founder & Managing Director at Foration. IT and technology fixer.

Subscribe to our Blog