Kiddicare data breach: Industry reaction and analysis

Yesterday, a government report revealed that two-thirds of UK businesses have been hit by a cyber attack in the last year and today we have yet another example of the security dangers businesses are facing.

UK retailer Kiddicare has announced that it has suffered a data breach, exposing the information of 800,000 customers and various industry professionals have offered their thoughts and analysis.

Richard Beck, Head of Cyber Security at QA:

"In security circles we talk a lot about the insider threat – where either through malicious intent or genuine mistake, the actions of an individual exposes their employee to a cyber security problem. It’s an increasingly serious challenge, as highlighted by a recent study by ISACA and the RSA Conference, which found that four in ten organisations have experienced insider damage at least quarterly in 2015.

"It’s not clear in the Kiddicare incident whether the breach was caused by human error or deliberate intent but it does underline that organisations need to be vigilant in two areas. First, set clear IT security policies for their staff to follow. Second, ensure that staff are adequately trained to understand the importance of and adhere to, the security policies they have been given."

Trent Telford, CEO at Covata:

“Once again it’s the customers who are feeling the effects of a company’s carelessness. When websites are in the midst of development things are bound to go wrong, but this latest breach begs the questions why real customer data was used and, critically, why it wasn’t encrypted. It’s bad enough that personal details were compromised but had a hacker been able to breach its main site and similar encryption precautions were missing, more sensitive data – such as payment details – could have been stolen; meaning Kiddicare would be facing a much bigger problem.

“This needs to serve as a reminder that data must be protected wherever it goes. Whether it’s stored on a test site or in data centres on the other side of the planet, companies must have advanced encryption and policy controls in place to ensure that they remain in control. Had Kiddicare assigned access management to the data, it would have been able to spot immediately that data was being viewed by unauthorised employees and siphoned out of the network; meaning it would not have taken multiple customers to report suspicious text messages before an investigation was launched. Businesses must stop burying their heads in the sand when it comes to data security, especially as the incoming EU GDPR will give the consumer more power to fight back if their information is compromised.”

Dave Palmer, Director of Technology at Darktrace:

"Cyber breaches, like Kiddicare, continue to make headline news and highlight the need for organisations to strengthen their cyber defence strategies. Cyber attacks are evolving in sophistication and are now able to sidestep traditional security mechanisms, compromising company systems and customer data.

"In Kiddicare’s case, the company only became aware of the breach when customers reported suspicious text messages. This highlights the need for new self-learning immune cyber security systems that focus on optimising the visibility of an IT system and identifying suspicious behaviour as it occurs, alerting companies to attacks before a business crisis develops."

Image Credit: Brian A Jackson / Shutterstock