Data Breaches …… Time to account

Posted on January 24, 2011


We have hardly out of the second week of 2011 before I start getting a sense of deja-vue.

My theme for 2011 – ‘Trust in Digital Life’ is proving to be very apt already…..

This blog started with a reference to the Facebook fiasco Facebook backtracks on data-sharing after users complain’ , launching new functionality that compromises (again) and in a compounding way user privacy and data. But then before I could get that  typed up Facebook gets trumped by an even more determined effort to show users how much their trust is being abused by the high-street brand LUSH.

The LUSH cosmetics security breach on the 21st January 2011 is an embarrassingly preventable breach of a website e-commerce service that will do little for the corporate credibility of this high street brand. Resulting in the following disruption and fall-out on users:

· Compromise of user personal details

· Credit Card fraud.

· Cancellation of users Credit Card information.

· Continued distress as to the unknown, even with the cancellation of the Credit cards personal data relating to financial transactions lower the bar for these individuals to follow up identity theft.

What makes this worse is that apparently not only did Lush know about their compromised systems in December 2010 they continued to trade on that compromised platform and expose their users through into January 2011. This lack of logical behaviour is an embarrassing display of ignorance or possible arrogance to think they could hide or contained this, demonstrating a continued trend in corporate immaturity in handling e-commerce services and activities.

I have every suspicion that Lush will be one in a majority of e-commerce companies that fail to adhere to basic online and data retention security principles. There are the Payment Card Industry (PCI) guidelines that every Credit Card company is meant to be imposing on those they provide card services to. It’s not hard to find out about this, they even have their own PCI Security Standards Council website.

The PCI guidelines are auditable and ensure a degree of diligence, providing NO EXCUSE for ANY organisation going online to be compromising user data, even if their systems get compromised, data should still be secure. Basic steps include:

· Encrypting data – even is a database is compromised the data is still secure.

· Secure systems and data access controls to a set standard and proactive monitoring – if this had been done compromises would have been picked up immediately and damage mitigated.

Amongst others. But these two above alone should have prevented the compromise of users data, even after the hackers got into their systems as modern encryption should make it impossible for any data they may steal to be unusable.

If an organisation cannot find the time and investment to adhere to these basic starter guidelines then they should have no place in the trust of online users. Why? Because You are responsible for preventing theft of cardholder data’.

If Lush had taken the first steps in a responsible manner when considering their online service the compromise of user data would have been mitigated if not entirely prevented. They did not and like many before and many to come failed in a basic duty of care and should be prevented from opening up shop again till they get their house in order. But in true online ‘Cowboy’ fashion quite the opposite.

Lush have just announced on their website Quote ‘A completely separate, temporary website will be launched in a few days – initially taking PayPal payments only’.

I find somewhat perverse just continuing the trend, reinforcing the view that they lack a baseline maturity to be an e-commerce vendor, falling back on a temporary website before they can conceivably have had time to put in place proper checks and balances woefully absent only weeks before. Not to mention placing their trust in PayPal, did they check PayPal’s track record? See my blog from last year on PayPal’s lack of credibility .

Apart from being another confidence kick in the teeth for those of us in the industry who know this is not only preventable but it is another nail in the coffin for the trust e-commerce depends on yet e-vendors has been abusing for so long. This is a resounding failure in a duty of care verging on negligence.

It is time that some significant pressure gets introduced to impose discipline on e-commerce organisations. Take two measures that would address the majority of these issues:

A. Making directors of companies personally responsible if they cannot demonstrate reasonable efforts have been made in the event of a breach.

B. Politicians to enforce PCI standards on ALL e-commerce sites and to levy fines for non-compliance. This would save a lot of political time by simply adopting and giving teeth something that leady exists and has industry acceptance, albeit not enforcement.

C. Compliance demonstrated by displaying a Kite Mark that any purchaser can click on to see the current audited status of the vendor. No KiteMark = no confidence.

This is the type of seismic shift needed to sober up the current ‘wild-west’ attitudes of anything goes by introducing real business accountability and visibility for users engaging e-commerce sites. No longer is an SSL Certificate enough to show due diligence and reasonable duty of care..

Just come through my news feeds is an announcement that Apple have also woken up to the reality that they can no longer rely on security by obscurity and have just recruited a global security lead in a series of high-profile security hires for the company… at last! Microsoft implemented their trustworthy computing initiative over a decade ago.