Insecurity notification

This morning I received a new mail.

One of many.

Sender?

Phone House

What was the title?

Security notification

Maybe it should be called an insecurity notification

Because it doesn’t give me much confidence.

As far as I can see, they have decided not to pay.

A few days ago I had already read the news in the press.

The first thing that is striking is the dance of numbers: from thousands to 5.2 million (it is clear that 5.2 million is mathematically thousands, but thousands of thousands in reality) to 13 million and 13 billion.

Because even if it’s 13 billion Americans, which is “only” 13 billion, it’s still a lot. It would be interesting to know in which other planet Phone House has branches because on Earth, as far as I know, there are about 8 billion of us.

As I was saying, these little numerical details aside, I would not like to be in the management of this company this week.

For having to face blackmail and having to decide whether to pay or not.

For having to investigate how the information about the cyber-attack reached the press. It is clear that data protection regulations oblige any company to notify the authorities of any leak. The question is, was the press release planned by the company itself? I would be surprised if they wanted to be exposed in this way. Did an employee do it? Did the blackmailers do it? Did someone from the authorities do it?

How will the market react to this “publicity” from the company?

It is clear to me that cyber security is complicated. New security breaches appear every day.

Any computer system is made up of hundreds of components (from server hardware to networks, internet servers, mail servers, operating systems, programming languages, component libraries, …) and each and every one of them can be affected by these security holes.

Even if Phone House knew that there was a security hole, would they have been able to find out exactly how the hackers were able to access their information? Would they have managed to block this access so that it would not happen again in the future?

More questions that the affected company must be asking itself.

How to notify customers who have been affected by the publication of their data?

If possible, without too much damage to the company’s reputation.

The “security communication” I received explains what happened, how they acted and tries to justify what they did.

I say “tries to justify” because there are expressions that pretend to say that this could happen to anyone and that they have done everything that could be done.

For example, there are phrases like “as you know, they are affecting all kinds of entities in both the public and private sector”.

In a clear reference to the cyber-attack on the SEPE (Servicio Público de Empleo Estatal) a few weeks ago.

As if to say: we are not the only ones and we are not so bad.

By the way, I have not seen published how the blocking of the SEPE equipment was resolved. Unlike Phone House, I understand that there was no data breach (they would have told us if that were the case, right?) and neither will they/we have paid.

It also says “Although at Phone House we have all the security measures required by data protection regulations…”.

As far as I know, data protection regulations state that every company is obliged to safeguard its customers’ data.

The regulation may define minimum mandatory measures, but I am almost convinced that complying with these minimums does not exempt them from the obligation to safeguard the data. If they have not been able to safeguard the data, they did not have all the required measures in place.

The other point on which I say that this is, in my view, a statement of insecurity is because it says that my personal data and my bank details may have been exposed.

I take it for granted that, as they say, no bank card details have been exposed. I understand that the Spanish Data Protection Agency would not allow this information to be communicated if it were not true.

But my question is, does Phone House have my bank details?

I don’t think so. I don’t usually pay with bank receipts except for certain recurring supplies.

And, to be honest, I don’t remember what I have bought at Phone House.

I do remember having been to the shop in the shopping centre near my house.

I imagine that, if they have my details, it’s because I bought a phone or some mobile phone accessory.

But I don’t remember.

Nor do they say when my details were exposed.

So I understand that they have sent that same communiqué to the thousands/5.2 million/13 million/13 billion affected without specifying information that can help me to know how critical that leaked information can be for me.

So now I will have to ask for that specific information.

In my opinion they could have helped to reduce the panic by simply sending separate communications to the customers of those who have bank details and another one for those who do not.

By the way, if you want to know if your data has been leaked go to haveibeenpwned.com and try your email and phone number (starting with 0034 if you are from Spain). If you see something like this, you are on the list.

Another aspect to take into account in this insecurity communiqué is that they indicate that they have not given in to blackmail so as not to “contribute to the fact that, with these funds, these criminal groups could finance yet another cyberattack, on another company other than ours”.

What they do not say is that in taking this decision they have chosen to expose 5.2 million customers (if we are to believe the message from haveibeenpwned) who may now suffer attacks on their bank accounts as their name, address and bank account details have been made public.

In conclusion

Possibly this is something that will (should) be on the agenda of all companies in the coming days:

  • Are we sufficiently/reasonably protected?
  • Should we hire an external audit?
  • Or do we rely on our “low profile” and that we are not relevant enough to be noticed by cyber attackers?

And as customers, we also have to ask ourselves questions:

  • How secure am I that my bank account was not accessed because of this and similar leaks that may not even have made the press?
  • Should I/can I complain if that happens?
  • What protection do I have?

There are also questions for the authorities

With so many security measures being demanded for card payments, shouldn’t something similar apply to bank details to prevent collection attempts being made just by knowing the account number?

Or perhaps also for banks

  • Is it possible to offer the possibility for a customer to generate collection authorisations on his accounts by indicating the sender and limits on dates and amounts and to give that an authorisation number that can be sent to the supplier with a controlled risk?
  • Would a customer pay for this service as an added value?