We might not know who they are, but we got a pretty good idea of what they like to eat after cyber hackers recently accessed customer accounts from the online takeaway service Deliveroo. After customers noticed fraudulent orders – including £200 worth of burgers and over £400 for four curries, six naans and a kebab, plus three grilled chickens, four pizzas, five cheesecakes, garlic bread and eight bottles of Vodka – media headlines soon splashed the news of Deliveroo’s problems.
It could be you
Following hard on the heels of Deliveroo, Camelot the National Lottery operator, also found itself in the crosshairs of the media after news that up to 26,500 online accounts had been compromised. But what the recent hacks of Camelot and Deliveroo have in common is that, despite the negative media coverage, the companies’ systems had not been breached. In fact, hackers had likely stolen customer details from other businesses and relied on a common failing that many people use the same email address and password combination across different websites.
Think of it like losing your door key. The hacker who finds the key might not know which house you live in but if they try enough doors, eventually that key will open one up. Except hackers don’t need to walk the streets and try each door – they have software (‘bots’) that will automatically do that for them across thousands of websites, until they find a site that they can access using your details.
Fewer hurdles to clear
An additional problem is that competitive pressure and consumer demand has forced many companies to make the customer user journey as speedy and efficient as possible. If Deliveroo makes it more cumbersome to order food for example, customers will simply go to UberEATS or another competitor. But while fewer clicks results in a quicker service, it can also mean that hackers can gain access to customer accounts with fewer details, or more easily misuse that service once they have gained access.
One of the key lessons is the need for better education when it comes to password hygiene. In a previous blog, we talked about how only a third of people are following government guidelines when it comes to password management. It’s well worth looking at the government’s Cyber Aware campaign to check whether you’re following best password practice. Another tip is to make use of password manager software to store passwords safely and even generate ‘hard to crack’ passwords.
It is vitally important that we all use strong, different passwords across different sites rather than relying on a single one. That way, one compromised website shouldn’t lead to problems elsewhere. It may also be time for both users and software developers to consider whether cutting the speed of access to systems/services is worth the additional security risk.
Speed is of the essence
The second lesson is establishing how important it is for businesses, as soon as they are aware that there is a problem, to quickly identify the root cause of the data breach. The quicker they can establish that it’s not related to a breach of their own systems for example, then the quicker they can manage the potential reputational issues.
Outsource the IT investigation
For smaller businesses that don’t have the same level of infrastructure as bigger organisations when it comes to investigating IT issues and managing external communications, this is where a good cyber insurance policy can be invaluable in outsourcing the investigation and remediation of the problem even when they haven’t done anything wrong. Not only can they get access to forensic IT experts to validate whether an attack has taken place or not, and then remedy if so, but they will also have crisis management support from a public relations agency who can help them manage and minimise any reputational fallout.
We all know that, as users, we need to practise better password hygiene but until that becomes commonplace, every business should plan for the possibility that a data breach elsewhere could lead to their customers experiencing problems.
Find out more about our Hiscox cyber and data risks insurance