Months after massive data breach, company still serving insecure website
In another blunder by Dixons Carphone Warehouse, the recently hacked retailer – which claims to have been “working intensively with leading cyber security experts” – was exposed today as still serving up an insecure HTTP corporate website.
The revelation comes two months after the company revealed a massive 2017 hack. This week on Tuesday it admitted this had exposed 10 million records of its customers’ personal data, rather than the 1.2 million first thought.
“Advised Against Using Secure Site”
Unlike the superior HTTPS – which encrypts information passing between a device and a website – HTTP is susceptible to information being intercepted by a malicious third party. (Since July Google has marked websites “insecure” if they don’t use HTTPS).
In an exchange on Twitter, Information Security Consultant Paul Moore raised the issue of the insecure site with Carphone Warehouse’s “KnowHow” support team, only to initially be told that he should simply drop the “S” from the url he was typing.
— Paul Moore (@Paul_Reviews) July 31, 2018
Dixons Carphone Warehouse Purchased a Valid Certificate Yesterday
He told Computer Business Review: “HTTPS was enabled, but it had the wrong certificate and wouldn’t load unless you accepted the security warning. They purchased a valid certificate yesterday, after I contacted them.”
“I wouldn’t expect the social team to fully understand the issue, however they said it had been escalated to IT security specialists who couldn’t see a problem!”
“They actually advised against using the ‘secure’ version because it wasn’t implemented properly… then claimed they didn’t collect any user info. I immediately found a page which collects data, to be told that entering info was optional.”
He added: “The footer on said page claimed they’ll handle that data appropriately & securely… The majority of their other sites have TLS deployed properly, so this appears to be an isolated incident. In light of recent events, it’s slightly embarrassing.”
Web security expert and founder of haveibeenpwned.com, Troy Hunt, told Computer Business Review: “It’s rather alarming that even after major security incidents, one of the simplest, most fundamental security controls is missing from Dixons and it’s such a foreign concept that it confused their support staff!”
Dixons Carphone Warehouse has been contacted for comment.
An earlier 2015 hack of an insecure WordPress website that resulted in another data breach saw Dixons Carphone Warehouse hit with a £400,000 fine by the ICO.