Dixon Carphone breach reinforces that breach detection doesn’t translate to protection, warns BOHH Labs

Earlier this week Dixons Carphone reported that a huge data breach, which took place last year, involved 10 million customers, up from its original estimate of 1.2 million. According to Simon Bain, CEO of BOHH Labs, with consumer confidence towards the high-street already fragile, retailers simply can’t afford to demonstrate lax attitudes in cyber security, notably towards threat detection methods.

Earlier this year the Centre for Retail Research issued findings, reinforcing the severity of the situation facing UK high-street retailers. The report revealed that since 2012, 61,000 stores had been forced to close, with 2018 expected to be the worst year since the financial crash of 2008. Already the UK has lost the retailer Toys R Us in 2018, while brands including Marks and Spencer, New Look, Carphone Warehouse, Mothercare and Carpetright are all closing a number of stores in restructuring programmes to try and adjust to the digital economy.

According to Simon, with a number of businesses on a knife-edge and few signs of recovery on the horizon, the last thing retailers need are high-profile incidents, similar to the Dixons Carphone breach, which will only serve to damage brand reputation and dent confidence further.

He explained: “Unfortunately, it appears to be the case of another day, another breach. This time it is Dixon Carphone – a major UK high-street retailer – which saw the names, addresses, and email addresses of anywhere from 1.2 million customers to 10 million, exposed. While the breach has only just come to light, it’s been revealed that the incident actually occurred back in July 2017. Worryingly, this reinforces how in the dark organisations are when it comes to security – in this case, for almost an entire year, the company had NO idea it had been impacted by a data breach. For a sector already with its back to the wall, this will only create more concerns and nervousness amongst both retailers and consumers.”

Simon continued: “While findings on the how, who, and why of this particular attack are still coming to light, it does bring up a critical point around cyber security – breach detection is not protection. In fact, in a recent study sponsored by IBM Security with research independently conducted by Ponemon Institute, the 2018 Cost of a Data Breach Study finds that the Mean-time-to-identify (MTTI) a breach is 197 days, and the Mean-Time-to-Contain (MTTC) is 69 days. This means that on average, it takes half a year to identify a breach! Imagine how much data an attacker could get in that amount of time while going unnoticed – the results will simply be catastrophic.

“This figure is unacceptable, especially since the security industry has seen greater support for threat detection tools over the last several years. This ranges from everything like network threat detection and understanding and monitoring traffic patterns, to endpoint threat detection and tracking information/behaviours on user machines and even popular threat intelligence tools like AI and ML for their self-learning capabilities and ability to recognise patterns and anomalies.

“Unfortunately, the industry has made people believe that detection can work. We are certainly not saying that no detection solutions work, and they should be removed from your security strategy all together, but it is clear detection alone is not enough. What we need is a new way to protect our data.”

Simon concluded: “Placing the emphasis on the data itself, not just where it comes from or where it is stored or being transacted to, it enables better protection for both external and internal threats that organisations desperately need to keep sensitive information protected. Considering how vulnerable the UK high-street is presently, it’s imperative retailers take control of their own security measures and leave nothing to chance!”