The words written by Cash Converter’s Social Media team this morning, “Good morning all. We are here to answer any queries you may have until 5.30,” seem happy and pleasant enough. But their main feed has been pretty quiet ever since.
Their replies feed, however, has been pretty active – unfortunately, they are all variations of, “We are happy to discuss this with you over the phone or email.”
The company has admitted today that customer usernames, passwords and addresses may have been taken by a third party. Data breaches from live sites are embarrassing enough, but it has emerged that this unauthorised access was to an old site which is no longer in use by customers, but was still online.
Jon Topper, CEO of UK tech company The Scale Factory has said, “When migrating away from old solutions it’s important to bear in mind that old digital assets will still be running and available online until such time as they are fully decommissioned. As a result they should still be treated as ‘live’, which means maintaining a good security posture around them, keeping up with patching and so forth”
In their customer notification, Cash Converters were quick to point out that the old site was operated by a third party, possibly intending to deflect responsibility for this breach, which definitely won’t fly under GDPR regulations coming into force next year. Companies running server infrastructure that handles customer data should be engaging with experts to review their security posture ahead of that, in order to avoid being slapped with a large fine.”
With recent reports and studies suggesting that only a fraction of large UK and Multinational Organisations are ‘Highly Confident’ over GDPR compliance before next May’s deadline – and perhaps more worryingly still – only 25% of law firms surveyed are ready for GDPR, issues surrounding the security of personal data will only come under the microscope more often in the coming months.