In the summer of 2018, British shoppers found out that hackers had planted malware onto 5,390 point-of-sale payment tills at the high street stores of Currys PC World and Dixons Travel, and stolen the personal data records of 1.2 million individuals, and 5.6 million payment card details.
An investigation uncovered that the data was stolen between 24 July 2017 and 25 April 2018, and determined a number of security failings on parent company DSG Retail’s part, in including:
The point-of-sale (POS) systems were not segregated from the wider Dixons corporate network. Network segmentation could have help contain the compromise to just a part of the network.
There was no local firewall configured on the POS terminals.
Inadequate software patching of DSG’s domain controllers and the systems used to administrate them.
A lack of regular scanning to identify vulnerabilities on the network.
Not all POS terminals were properly configured with application whitelisting to prevent unauthorised code from running.
A lack of logging and monitoring systems to identify incidents and respond in a timely fashion.
Some POS terminals were running out-of-date software. For instance, an eight-year-old version of Java.
DSG’s outdated POS system did not support Point to Point Encryption.
This week the Information Commissioner’s Office (ICO) announced that it was fining DSG Retail £500,000.
What struck me, however, is that the fine could have been much MUCH worse for DSG Retail if the hack had gone unnoticed for just one ..
Support the originator by clicking the read the rest link below.
