How to avoid this happening to you:
“Basic IT security good practice isn’t difficult and can go a long way to mitigating the risk of this kind of attack. The ICO has published some very helpful and detailed guidance in its paper from last year, ‘Protecting personal data in online services: learning from the mistakes of others’. Since this paper is basically a list of things that the ICO has fined people for not doing, CIOs should study it carefully!
“Businesses are also well advised to have an action plan in place for dealing with data breaches. That plan should describe at least how it will identify the attack vector, how it will work out what is compromised, how it will inform those affected, how it will mitigate the damage to them and how it will notify and work with relevant regulators. Reacting to data breaches necessarily involves IT, legal, communications and senior management all working together, so all of those stakeholders should be involved in formulating that plan.”
What Carphone Warehouse should do now:
“I understand that they have informed the ICO. While not yet a legal requirement for most businesses, early disclosure both to regulators and those affected is good practice and will probably be seen as a mitigating factor by the ICO.
“Where I think Carphone Warehouse made a mistake is in pushing the onus of mitigating the damage onto those affected. While there are some things that only the data subjects themselves can do, such as cancelling credit cards, it would probably have been more helpful if Carphone Warehouse were to offer some kind of real assistance, perhaps setting up a helpline or doing a deal with an ID theft monitoring service, like Sony did. Their communication about who is and is not affected could also be a lot better. For instance, while they probably don’t know the full extent of who is affected yet, they should at least be able to identify classes of customers who are definitely not affected, and communicate that to them clearly.”
Daniel Hedley, tech specialist associate at Thomas Eggar LLP