"This is an example of high-quality security technology in action."
When the news broke last week that Great Western Railway (GWR) suffered a data breach, in which the UK operator revealed hackers had illegal access to approximately 1,000 of its customers' details, there was understandable concern from those customers that were at risk. James Barrett from the data network company, Endace, takes a closer look at the cyber security breach to explain that, while some members of the public with a tainted view of the rail industry may hold GWR responsible, in his view the rail company is blameless.
In total, around 1,000 accounts out of a possible one million were “directly affected” by the attack. For the sake of clarity, that’s 0.1% of its customers. Unlike other high-profile and well-reported cases where hackers have gained entry via outdated security systems or poorly chosen passwords, GWR can rest easy. In this case, the hackers took username and password combinations leaked from other hacked websites and services, and used those to log into GWR.com accounts that had reused those credentials. This is a common attack known as credential stuffing.
The response of GWR was impressive. Very few customer accounts were actually impacted by this hack because GWR was quick to recognise the fact that there was an automated login system trying out different passwords on its network. This is an example of high-quality security technology in action – i.e. just enough activity to sound the alarm, which gets identified, stopped and shut down immediately. While not privy to the technology GWR is using, it is likely to be an AI-based system.
What is interesting in this case is that the information commissioner’s office was notified; an unnecessary step but one that is in line with GDPR breach notification rules, which come into force next month. As part of its response, GWR was also proactive in notifying its customers by sending out an email – a tactic that has since been mistaken, somewhat ironically, as phishing. I guess sometimes, you’re damned if you do, and you’re damned if you don't.
Outside of the specifics, this is timely test case of the role GDPR will play for businesses. GWR has clearly used this opportunity to road test its GDPR response, which can only stand it, and its customers, in good stead moving forward. The fact still remains that despite being open, honest, and having not been at fault in this case, GWR will still have a public record of a breach. It is looking like this will be the new normal for companies. Soon, consumer trust in businesses won't be based on those that have been hacked versus those that haven’t. Instead, it will simply be driven by which companies best handle their responses to attacks.
James Barrett is senior director for Europe, the Middle East and Africa at Endace.
You may also be interested in this from Transport Security World…