More Encryption Required After Hacking

• Content
• Security, Fire & Contingency Planning
• More Encryption Required After Hacking

14 August 2015 | Updated 01 January 1970

The recent Carphone Warehouse hack this month highlights the essential need of securing of sensitive data to avoid devastating effects such losses can mean to a company.

According to TechWeekeurope Carphone Warehouse shares fell 2% on the morning the UK’s Information Commissioner’s Office (ICO) began ‘making enquiries’ into how the data breach happened and what could be done about it.

The potential damage to Carphone Warehouse customers is difficult to assess but the company does not deny that the data of 2.4 million people may have been compromised by whoever hacked into the system. Encrypted credit card details of 90,000 people may also have been stolen.

Despite reassurances that the cyber attack was stopped once detected, Carphone Warehouse has suffered in its reputation and from the apparent fact that its security could have been breached in such a way. As one customer told the BBC: “As a Talkmobile customer, I have just visited the Carphone Warehouse and Talkmobile websites to find out more. Guess what? I could find absolutely no mention of this on either website! It seems like they are trying to sweep this under the carpet. Not good enough.”

Comprehensive encryption required

Some specialists believe that the only way to properly secure data is to encrypt the entire database and elements around it, e.g. redologs or indexes and ensure that the encryption keys are kept separately in a secure repository well away from the database, its administrators or non authorised personnel. 

“That way, even if the data is hacked, without the key it cannot be read,” explained Colin Tankard, MD, Digital Pathways. “Many companies choose to use tokenisation methods where a column of data (say credit card numbers) are protected but other data remains clear and thus susceptible to hacking.”

This method is often adopted as a simpler way of ensuring PCI compliance because the real credit card data is held outside of the database and so takes the database server out of scope. “But the risk is that other data is left in the clear and in the Carphone Warehouse case, it may be that is the data which included other sensitive information,” stated Mr Tankard. He argued that the best option is to do both so that the data is truly protected. “An excellent strategy is to use a ‘stealth’ product where the data is cloaked and is not seen. Businesses storing sensitive data really do need to employ robust data encryption systems but this is a message we security professionals have been ‘banging on about’ for years – we’re starting to become hoarse.”

Picture:    Great damage has been done to Carphone Warehouse’s reputation with the latest hacking and some specialists believe greater encryption must be considered.

Article written by Mike Gannon | Published 14 August 2015

Share

Related Articles