Andrew Vine: If you want our business, then protect our data

Have your say

I’VE just spent a tedious couple of hours going through a raft of online accounts, changing passwords and checking the bank for any suspicious transactions.

It’s a chore, prompted by an email from somebody called Antreas Athanassopoulos whose title is chief customer officer at Dixons Carphone Warehouse, the company from which I bought my mobile phone.

What more should be done to enhance cyber security?

What more should be done to enhance cyber security?

I’d never heard of this man, but he’s been in touch because my name, address, date of birth, telephone number and email are amongst 10 million items of information stolen from his company by hackers. This apparently happened last year, but he’s only now got round to telling any of the customers.

Mr Athanassopoulos is at pains to point out that bank details have not been hacked, but then rather undermines that assertion by recommending that people monitor their accounts for any suspicious activity.

His email has the feel of having been drafted by a public relations professional who has attempted to balance contrition with an air of competence about safeguarding people’s details.

“We’re extremely sorry about what has happened – we’ve fallen short here,” writes Mr Athanassopoulos. “We want to reassure you that we are fully committed to protecting your data so that you can be confident that it is safe with us.”

Well, sorry Mr A, but I’m not at all confident about that, not least since this data breach happened in 2017, which means somebody has potentially been in possession of at least part of my identity for perhaps a year.

The other thing that makes me lack confidence in his assertion is that over the past few months I’ve seen an upsurge in spam email, and clumsy scams trying to winkle bank details out of me.

The two may not be connected, but it seems to me a very odd coincidence if they aren’t. In fact, when his email arrived, it answered a question that has been in the back of my mind for months – why has all this stuff suddenly started arriving?

I doubt it will bother Mr A at all that I don’t plan to renew my acquaintance with Dixons Carphone Warehouse when my current mobile phone contract expires, but it isn’t just the slippery tone of his email which accounts for that.

It’s the fact that 24 hours after it dropped into my inbox, the company smugly forecast a pre-tax profit for 2018/19 of £300m.

Leaving aside that it’s a PR blunder to crow about making that amount of money the day after revealing that vast amounts of personal information have been leaked, it begs the question why a company so profitable is not devoting the resources necessary to securing its IT systems so tightly that they make Fort Knox look like a garden shed. Locking the stable door after the horse has bolted with a hacker in the saddle geeing it up for all he’s worth isn’t good enough.

Dixons Carphone Warehouse is far from the only prominent company to admit massive data breaches.

Days after the email arrived last week, British Airways admitted that 380,000 customer records had been hacked, including bank and credit card details. An immediate promise to compensate any customers who were defrauded as a result was the clearest possible indication that the hackers had really hit the jackpot.

I have every sympathy with the BA customers affected, and I guess that many of them are feeling just as annoyed as me about what amounts to a gross breach of trust.

All of us are constantly reminded to keep anti-virus software up to date and be vigilant online to thwart hackers, yet multi-million pound companies appear not to do so.

According to the Government’s annual Cyber Security Business Survey earlier this year, 43 per cent of businesses had identified data breaches in the previous 12 months. But only 20 per cent of staff had any cyber security training.

It would be unthinkable that staff were not trained in equality issues, or company guidelines on acceptable behaviour, so why not in online security?

It’s becoming rare for any of us to carry out everyday transactions without going online, whether it be to bank, pay bills or carry out mundane tasks such as buying car or home insurance.

There’s little choice but to enter relationships of trust in the online society in which we now live. We do it in good faith, believing that companies which are household names respect that trust.

But too many of them don’t. They are happy to take our money, yet fail to spend enough of it on securing the information we freely hand over. Insincere apologies for allowing it to be stolen and misused are worthless.

It is incumbent upon them to keep it safe in the first place. If they can’t, we, the customers, should refuse to do business 
with them.