Today’s news that 600,000 customer records have been stolen from Domino’s France and Belgium yet again raises questions about just how seriously large corporations and big brands are taking data protection. It is the second time in less than a month that we have seen customers’ personal details compromised after the records of 145 million people were affected by the eBay breach.
For a period of time hackers had turned their attentions away from big businesses as they were seen as too tough a target and as a result they turned their attentions to smaller, less resourced targets. However, it would appear that in this period larger organizations have become complacent in their security practices and hackers have been quick to once again re-focus their efforts onto big, data rich organizations.
Although it is not certain exactly what records have been affected, it is staggering that the personal details of so many customers were seemingly left unencrypted and susceptible to this kind of attack – especially when you consider the warning shots that have been issued with previous high profile attacks.
If claims are accurate and indeed 600,000 customer records have been compromised that is a large amount of data that should have been better protected. The possibility that a large organization could even consider leaving data as plain text on a server is surprising to say the least.
As a result of this attack there’s an additional risk of phishing attacks. Consumers should be aware that the value of that data to criminals and fraudsters should not be underestimated nor should the potential damage that they could suffer as a result. When these serious ramifications are brought into consideration it is concerning that Domino’s took four days to alert customers to the potential risks they faced.
People should be very cautious about clicking on links in emails which claim to be from Domino’s, no matter how authentic they seem to be. There’s a very real risk that attackers will try and exploit this attack to send phishing emails to users, to try and harvest more sensitive data.
It will also be interesting to see what response, if any, various industry bodies take in punishing firms for bad practice. For instance if payment card data has been left unencrypted and has been compromised, will the PCI Council move to fine organizations or stand idly by.
Business of all sizes should be reviewing their data handling and storage practices as a matter of urgency in the coming days and weeks to ensure that they are not unwittingly offering an easy target for hackers. This should include ensuring that all sensitive data is strongly encrypted.
In addition to this businesses should be ensuring that all employees are aware of potential threats and are up to speed with best practice as hackers often target employees first to gain a foothold they can later exploit. Education of staff will help ensure that the organization is adequately prepared for the risk posed by cyber-attacks.