Thursday, December 14, 2017
Home Tags Supermarket

Tag: supermarket

100,000 staff entitled to comp for 'upset and distress' caused Morrisons is responsible for the leak of staff personal details by an ex-employee, the High Court ruled today.…
Judge finds there was "a lack of any proper testimony as to specific causation."
SuperValu breached after cyber attack at mega-retailer Shoppers at SuperValu, Centra and Mace have been told to review their bank statements following a cyber attack against Irish retailer Musgrave.…
Johnson & Johnson is on a losing streak, with more than 5,000 cases to come.
The supermarket chain has blamed independent payments provider Cuscal for the error that has seen transactions withdrawn a second time from some customers' bank accounts.
Amazon is buying the chain at $42 a share, but John Mackey will remain CEO.
New "design system" will span everything from phones to virtual reality.
Enlarge / Barry Bowser, seen here in front of the Bakersfield property where he was arrested in 2014.Cyrus Farivar reader comments 83 Share this story BAKERSFIELD, Calif.—Most convicted criminals don't make a point of publicly apologizing for their crimes in the local newspaper.

But Barry Bowser, who was convicted in 2015, is no ordinary criminal. “For shining a laser at a helicopter for three seconds, I lost my entire life,” Bowser wrote in a recent letter to the editor of The Bakersfield Californian. “I am now 54 years old and I have no one and nothing but the clothes I was given when I was released from prison.” Weighing at least 250 pounds with a wide chest and a handlebar mustache, Bowser has quite a presence. He agreed to meet me near a local supermarket and arrived in dark sunglasses, black sneakers, black-striped shorts with skulls on the edges, and a t-shirt advertising a local orthodontics practice. John Goodman would be a shoo-in for the lead role if there’s ever a Bowser movie. Bowser had previously done time, serving multiple stints in California state prison on drug and identity theft charges.

But this go-round was different—no drugs, no theft, no violence. Instead, in a fleeting moment that he still calls an accident, Barry Bowser violated 18 US Code § 39A of the Federal Aviation Administration Modernization and Reform Act of 2012: Whoever knowingly aims the beam of a laser pointer at an aircraft in the special aircraft jurisdiction of the United States, or at the flight path of such an aircraft, shall be fined under this title or imprisoned not more than five years, or both. That led to a 21-month prison sentence, though Bowser was released after 11. Prison cost him more than time; Bowser also lost several teeth. As we drove the few miles to the scene of his crime, Bowser told me that he had just come from a denture-fitting appointment at an orthodontist’s office, needed after a race riot at the county jail where he had been held at the request of federal authorities. “I got busted in the mouth with a lock in a sock, knocked my teeth out,” he said. “That was my first day in Fresno County jail.” And all for making a poor decision with a laser pointer. Waiting on enchiladas Back in September 2014, Barry Bowser was trying to get his life back on track.

After having been a functioning methamphetamine addict for 25 years, he said he had been clean for four consecutive years at that point. He had worked various oil and industrial jobs, as a derrick hand, an operator, a tool pusher, and as a natural gas compressor mechanic in Elk Hills (the “best job of my life,” Bowser noted). Now, he was fixing people’s cars in their driveways throughout the Bakersfield area. “I had a business going, I had a mobile mechanic business going, buying my own house,” he said. “I hadn't been that clean in years, feeling good on life.” Around this time, a friend, Danny Gibson, loaned Bowser a motorhome and invited him to park it on a large, commercial property on N.
Sillect Ave., on the edge of town.
In exchange, Bowser would do some maintenance and act as a sort of night watchman. Other properties nearby include a local union office, an animal hospital, and a strip club, Exotic Kitty’s.

The property also used to be a Home Depot, so it had a large storage area and a large parking area as well.

Bowser soon found out through a friend that the area had some recent reports of burglaries. Late in the evening on September 11, 2014, Bowser received a call from his friend Todd.

Todd was making enchiladas, would Bowser like some? Bowser said he would. While waiting, he began rummaging through drawers in the motorhome as a way to pass the time and found a laser pointer that Gibson had given him as a dog toy (for Bowser’s pitbull, also named Bowser).

A few moments later, Bowser found batteries for the pointer.
In they went, and lo, it worked. Bowser stepped outside with his dog and began shining the laser along a fence, trying to get his dog to chase the beam.

The pit quickly lost interest, and Bowser instead began testing the range of the laser to see what else it could hit. He managed to hit a billboard several hundred yards away.

Then he aimed for a radio tower with a blinking red light on the top.

Each target proved too easy.
So Bowser aimed for a second radio tower that was a quarter or a half mile away. Then came the three seconds that would change the man’s next two years. Bowser's laser seemed to hit something in the sky, but he wasn’t sure what, if anything, it was. He started to bring the laser down just in case, and that’s when a helicopter began pivoting to face him.

The laser beam then caught the windshield, and the glass “lit up like a Christmas bulb.” Bowser watched as the helicopter started to swerve and dip. Up in the helicopter, the pilot, Deputy Kevin Austin, saw the laser beam shoot past his head and through the open helicopter door. (It’s common practice to remove helicopter doors during hot weather.) The Tactical Flight Officer (TFO), a sort of police spotter who also was aboard the helicopter at the time, didn’t notice the laser.

But then the light hit the windshield directly. Austin later described the moment in an e-mail to prosecutors: The laser struck the helicopter twice.

The first was less than a second, followed by the second strike, which lasted between two and three seconds.

The second strike was held long enough for me to visually spot the exact location of the source, and the suspect was standing in an open area where I could see the silhouette of his person.
I immediately executed a left, diving turn toward the source to gain airspeed while closing the distance.
I also flipped my [night-vision] goggles down which made it easier to keep a visual on the suspect while he was still out in the open area. Once we arrived over the location of the suspect, he was still in an open area. We kept him illuminated with the helicopter's spotlight and observed him until we lost sight of him when he walked under a large, metal awning. My TFO, Deputy Jeremy Storar, used binoculars to obtain a good description of him as well. Bowser didn’t know the world of legal trouble he would soon face, but clearly he had annoyed somebody. His girlfriend Wendy and his buddy Todd arrived with the promised enchiladas as the helicopter hovered nearby.

Bowser went to the locked gate and rolled the laser out to her. “Get that thing out of here,” Bowser said. “What’d you do?” Wendy asked him. “Baby, just take this, give me the food, and I’ll call you,” he said. Bowser took his dinner, went inside the motorhome, changed clothes, and ate. But up in the sky, the helicopter crew had him under surveillance.

Austin described what happened next in that same e-mail: My TFO, Deputy Storar, and I watched him reach under a closed, locked chain-link gate to the driver of the SUV.

Deputy Storar observed the suspect and driver at the gate using a pair of binoculars.

The driver gave the suspect what appeared to be a bowl with possible food in it.

The exchange was made under the gate.
I told Deputy Storar to watch closely because I felt the suspect would hand the laser to the driver of the SUV.

The driver left moments later, but we were not certain whether the laser had been given to the driver. While Deputy Storar was observing with binoculars, I had control of the helicopter’s spotlight and used it to keep the driver and suspect illuminated. It was only a matter of time until the cops arrived. Enlarge / Barry Bowser had parked his motorhome under this awning. Cyrus Farivar About 15 minutes later, a Bakersfield Police Department patrol car arrived at the locked gate.

Two officers stepped out and approached the locked fence. One, officer Eric Celedon, called out to Bowser. “Do you know why we are here?” Bowser knew.

They were here because he’d hit the helicopter with the laser, but Bowser tried to explain it away. He was merely testing the laser and didn’t mean to cause any harm, he said. As the two talked, Bowser could hear Celedon’s shoulder-mounted radio blaring.

A voice, which he quickly figured out belonged to the helicopter pilot, pierced through an already tense situation: “I want that son of a bitch arrested! He’s going to jail! He about got me in a wreck!” Celedon obliged. He arrested Bowser for violating California Penal Code 247.5, the part of the state criminal code that deals with laser strikes. He read Bowser his rights and began a short interview, as court records show: Celedon: But you pointed it towards the helicopter? Bowser: Yes I guess I did. Celedon: What do you mean you guess? Either you did or you didn’t. Bowser: I did but I never seen it hit the helicopter. You know I didn’t even know if it was, the battery was going weak. You know, and... Celedon:...
So you didn't, but you pointed it at the helicopter, you just didn’t know you hit it? Was that it? Bowser: Um, yes I didn’t know if the batteries were even strong enough to hit, actually hit it. Celedon: Oh OK. Bowser: And I wasn’t trying hurt, I didn't even know if that was a cop helicopter.
I wasn’t trying to hurt nobody, you know what I mean? Aurich Lawson / Thinkstock Trouble It may seem absurd that a tiny, pen-sized laser could become such a concern for authorities.

But rest assured pilots do not take these situations lightly—they see lasers as a potentially dangerous nuisance. Many liken the experience to unexpectedly facing bright headlights on a dark country road. Officers have previously told Ars the experience can lead to temporary flash blindness. “[It takes] five to seven seconds to refocus, depending on the strength,” Fresno Police Officer Ken Schneider told Ars in 2014. “I once took a direct hit to the eye and had a tingling irritation for four hours.” The federal government takes such laser strikes seriously, too.

The Department of Justice told Ars that more than 28,000 laser illumination incidents in the United States have been reported to the Federal Aviation Administration between 2011 and 2015.

But as of 2014, only 134 arrests were made, and there were only 80 convictions. This year, as of October 22, the FAA reported 5,564 incidents nationwide.

That’s more than 22 laser strikes reported in the United States every day. Of those, Phoenix tops the list of most cases with 263.

Bakersfield, by contrast, has just 34. But in Bowser’s situation, he didn’t just fire the laser at a Kern County Sheriff’s Office helicopter. He did so in a part of the country where Assistant US Attorney Karen Escobar presides. Her federal district was responsible for more than 35 percent of the convictions noted above, and she has personally prosecuted 17 laser strike cases—far more than anyone else in the US.

Escobar has never lost a laser case, either. “I don’t know of crashes, but I do know of pilots that have suffered permanent disabilities from laser strikes,” Escobar told Ars. Authorities are generally concerned that handheld lasers, which have been getting cheaper and more powerful in recent years and are openly sold on the Web, could be used by a terrorist or a criminal to bring down an aircraft. While no aircraft in American airspace has ever been brought down, much less forced to make an emergency landing due to a laser strike, there has been a concerted effort to identify and crackdown on those carrying out such strikes. This, along with 18 US Code § 39A of course, is what Bowser had gotten himself into. Originally, he said the government wanted to charge him with attempted murder, terrorism, and other charges that ultimately were not filed.

But with the laser strike, he decided to push his defense attorney to take the single count to trial, believing that it would be difficult to prove that he “knowingly” aimed the laser at the police helicopter. "...but you did something." After being arrested, Bowser posted bail and returned for his first court appearance days later.
Initially, he was met with a surprise—state charges had been dropped. No explanation was given.

As far as Bowser knew, he was free as a bird. With that out of the way, he and Wendy decided to move back to her home state of Arkansas. Little did Bowser realize, however, federal authorities had started their investigation.

They were searching for the motorhome and laser in question. Bowser and Wendy sold their belongings at a yard sale and packed up for Arkansas in December 2014.

But months later, in March 2015, Bowser heard that his aunt, his closest relative, had fallen ill. He had to come back to California if possible. Unable to afford the plane ticket on short notice, he bought a used car and began driving west.
Somewhere outside of Amarillo, Texas, the car broke down. He decided to then rent a U-Haul truck to accommodate him, his stuff, and Bowser the pitbull. After visiting his aunt, Bowser decided to drive to Bakersfield to return the truck. On his way, he pulled over at a rest stop near the town of Nipomo to walk his dog.

Because large trucks are not usually on the road so late at night, a San Luis Obispo County sheriff’s deputy began questioning him.

By coincidence, there had been a recent rash of drug shipments in the area. When the deputy ran Bowser’s name in his computer, he came back with bad news—a sealed federal warrant dating to December 2014 had Bowser’s name on it. (According to Escobar, it had taken several weeks to file the warrant as federal authorities were trying to locate the motorhome, the laser, and Bowser himself.) “I don’t know what you did, but you did something,” the deputy told Bowser. “I have to take you in.” Bowser the dog was taken to a local animal shelter immediately and likely put down over time.

Boswer the man was taken to the San Luis Obispo County Jail before being driven by FBI agents Erick Bach and Joshua Allan Nicholson to a federal detention center in Bakersfield. There, while seated in the front passenger seat, Bowser gave the two men the same story he gave officer Celedon that faithful night: “I didn’t really comprehend that it was a helicopter until I turned my beam onto it, ‘till that laser hit it.” On the ride back to Bakersfield, Bowser told the FBI agents that he had “mutilated” the laser while in Arkansas. He had initially told the Bakersfield Police that he had given it to Todd, but in fact he had given it to Wendy, who kept it and took it with them to Arkansas. “I was chopping firewood, and I sat it right on top of the log I was splitting, and I chopped it right along with the log,” Bowser would later tell Ars. By the end of the month, Bowser again insisted that he had not intentionally or “knowingly” struck the helicopter and invoked his right to a speedy trial.

A date was set for June 20, 2015. Enlarge / Karen Escobar is an Assistant United States Attorney for the Eastern District of California. Cyrus Farivar "Knowingly" or unknowingly During opening arguments, Assistant US Attorney Escobar did not mince words: You will also hear his own admission, because there is a tape of the Bakersfield police officer’s interview with the defendant at that time. And I ask when you are in the jury room deliberating later on, that you remember what the defendant said on that tape, which was right after the laser strike happened and right when everything was fresh in his mind. When Officer Celedon asked the defendant if he knew why the police were there, he responded unequivocally that it was because he had a laser pointer and he pointed it at a helicopter. Erin Snider, a federal public defender, delivered her own opening statement to the jury moments later: You are also not going to hear any evidence that Barry continued to use the laser pointer after the helicopter started to respond.

As soon as that helicopter descended down out of the sky, Barry stopped what he was doing. He turned off that laser pointer. Now, the government bears the burden to prove beyond a reasonable doubt that Barry is guilty of this offense, and that’s to say that the government has to present evidence that firmly convinces you that Barry knowingly aimed the laser pointer at the aircraft. And it is going to be up to you to decide whether the government has satisfied its burden in this case.
So it is going to be up to you to decide whether in fact Barry knowingly aimed the laser pointer at the aircraft. Not accidentally, not mistakenly, not recklessly, but knowingly. The first witness the government put forward was the helicopter pilot himself, Kevin Austin. On the stand, Austin said the first laser strike gave him momentary “flash blindness,” which he said was “similar to a camera flash going off.” The second strike lit up the entire windshield. He also said that he experienced “irritation” in his left eye, comparing it to getting “sand or an eyelash” in his eye. After Austin, the prosecution furthered its case with a trio of witnesses.

TFO Deputy Storar noted that at the time of the strike, the helicopter was “en route to a report of a male subject that was naked and armed with a firearm.” Lt.

Col. Leon McLin (Ret.), a senior research optometrist at the United States Air Force, testified that laser strikes similar to Bowser’s case would be “consistent with tracking” (meaning the laser was intentionally following the aircraft).

And Joshua Nicholson, then a senior deputy with the Kern County Sheriff’s Office, testified that Bowser would have had to “turn to strike the helicopter.” The defense, meanwhile, only put up Bowser himself as a witness. Bowser re-iterated the same story. When questioned by his own lawyer if he “intentionally” aimed the laser at the helicopter, the accused responded unequivocally: “No, I did not.” But upon questioning by Escobar, Bowser admitted that he hadn’t been truthful with Officer Celedon on the night of his arrest.

Bowser lied about having handed off the laser to Todd, when in fact he’d handed it off to Wendy. Escobar: So it was OK at that time not to tell the truth? Bowser: Ma’am, I can’t say I thought about this.
I don’t know why I didn’t tell him the truth, ma’am.
I have no idea why I didn’t tell him the truth about the laser. Escobar: You have been convicted in the past with crimes involving dishonesty, correct? Bowser: If that’s what you call them. Escobar: Forgery? Bowser: Yes, ma’am. Over a decade ago. Escobar: And using someone else’s identity? Bowser: Over a decade ago. During closing arguments, Escobar addressed the jury plainly. Regardless of the language in 18 US Code § 39A, she pointed out that “it doesn’t matter that he didn’t intend to hit” the helicopter. “The crime is completed,” she continued. “The evidence clearly establishes it, and your common sense tells you there was an aiming because there were direct hits of the aircraft, and there was more than one strike.

The fact that the beam hit the aircraft establishes there was an aiming.” Janet Bateman, Bowser’s other defender, next got up and addressed the jury. “Barry Bowser is not guilty,” she intoned. “He is not guilty of knowingly aiming a laser pointer at a helicopter.” She laid out an argument that many defense attorneys attempt, that the government failed to prove its case.

Batemen pointed out that jurors should find Bowser not guilty, essentially, because he told them that he had not intended to fire the laser at the helicopter.

And under 18 US Code § 39A, intent matters (“Whoever knowingly aims the beam of a laser pointer at an aircraft…”). “So this certainly could have been an accident,” she continued. “The law contemplates a scenario just like this case, and it doesn’t allow for a person to be convicted.” The jury took four-and-a-half hours to reach a verdict: Bowser was guilty on the single count. Following the decision, he was sentenced to 21 months in prison. His lawyers’ request for a new trial was denied.

They appealed to the 9th Circuit, which affirmed the lower court’s verdict and sentence.

Bateman and Snider, the public defenders, did not respond to Ars’ requests for comment. Moving forward Today, standing outside of the chain linked fence where the laser incident happened, Bowser explained that he could easily make money again by slinging meth. He’s going to do his damnedest to stay on the straight and narrow, however. “Right now I just don’t know what to do,” he said. “I know what I can do, but I don’t want to do it.
I got God in my life now, and he’s leading me in the right direction.” Jail before trial, and then serving in federal prison was harder this time—not only did he get caught up in the riot, but the passing of time meant Bowser lost his girlfriend, his home, his dog. He’s also been out of contact with his children for years now, though he would like to let them know where he is with his life right now. “I don’t even know what my kids think, or if they knew they had a Dad,” he mused. “One of them was born when I was in [state] prison.” He’s applied for state disability benefits for the time being.

But if he does need to get a new job, Bowser said he’d like to use his experience with drugs and the prison system to help fellow addicts and criminals. He’d like to be a psychologist. “I got 20 years on this side, I think I could do it on the other side pretty good.” To this day, Bowser maintains the strike that has shaped the last two years of his life was an accident. However, he is also apologetic for his actions. “I'm writing this letter to apologize to the community of Bakersfield and to the Kern County Sheriff's Department —especially to the flight crew of KCSO Air One, piloted by Deputy Austin,” he wrote in that public letter to the Bakersfield Californian. “I also want to educate anyone who owns a laser and might be inclined to use it the way I did: Learn from my mistake.
I am now just getting out of prison.
I have paid dearly, for I have lost my girlfriend, my dog, my home, my vehicle.

Everything I owned, everything I have worked for 30 years of my life, is gone.” Escobar, the federal prosecutor who earned the conviction, told Ars that Bowser’s letter was the first time in her 26 years as a prosecutor in the Eastern District of California that she’s heard of anyone apologizing post-release after all appeals had been exhausted. It’s a gesture that hasn’t gone unnoticed.
In a response letter also sent to the Bakersfield Californian, a local woman praised Bowser for his candor and for showing compassion over the loss of his dog and much more. "Hang in there, Barry," she wrote. "Good things are coming, maybe even a brand new girlfriend."
Links to supermarket's systems may have exposed vulnerability A former techie at Tesco Bank reckons the recent high-profile breach may be down to security shortcomings at the bank's parent supermarket. Earlier this month Tesco Bank admitted that an estimated £2.5m had been stolen from 9,000 customer accounts in the biggest cyber-heist of its kind to affect a UK bank.

The National Crime Agency (NCA), with technical support from the newly established UK National Cyber Security Centre (NCSC), is leading a criminal investigation into the breach. NCSC issued a statement saying it was "unaware" of any threat to the wider UK banking sector. Tesco Bank's security procedures were solid but the bank was exposed because of Tesco's "not-very-secure-at-all systems" – a weakness hackers might well have exploited, our informed source (who requested anonymity) speculates. TB [Tesco Bank] use all the standard security processes, and have significant numbers of ex-RBS staff.
Security architecture is sound, and vulnerabilities are patched in a timely manner.

Fraud monitoring systems are industry standard.

A full breach is very unlikely, and there are much bigger and better targets if a gang has access to relevant zero-days. All staff are vetted as per standard processes – TB is no more vulnerable to an internal breach than anyone else.

Again, bigger and better targets are available.

TB does have a problem with retaining experienced staff, and hoping that junior staff will step up when they leave, but that's not uncommon. TB had one breach when they first opened Current Accounts – someone in the card printers got a list of card numbers and sold them.
It was caught in time, and cards were destroyed. Presumably security at the printers has been improved, but I'd consider that to be a continuing possible vulnerability. However, TB's major vulnerability is its ownership by Tesco, and the links between its secure systems and Tesco's not-very-secure-at-all systems.

There was no evidence of patching and monitoring occurring in Tesco systems that we linked to at all.
I strongly suspect that the Clubcard system has been breached and a list of TB account numbers farmed from there.
I also suspect that nothing will be done to trace that possible route – TB has no influence over Tesco at all, due to relative scale, and the apparent bad relations between the chief executives. In a follow-up email the former Tesco Bank worker, who worked in IT for the bank and at one time on its anti-fraud system, offered more details on security failings at the parent retailer. I worked on a TB project that had to verify certain customer information on Tesco systems.

The Tesco system would fall over on a regular basis, and we would have to tell Tesco it was down – they wouldn't monitor it.
It later became clear that it was an app server running on a very outdated piece of middleware, completely unpatched.

This was standard for Tesco systems. [The] only exception was the credit card payment system, which was secure because it was regulated.
Separately I was aware of an effort to tie some TB systems more closely to Clubcard. However, it had to be abandoned once the architects discovered how insecure Clubcard itself was. Various theories about what might have caused the breach at Tesco Bank have already been suggested.
Security watchers have variously blamed credential stuffing, an inside job, and exploitation of a third-party supplier retail partner for the breach. Around 136,000 customers hold current accounts with Tesco Bank. Holders of other accounts were not affected by the breach. Security intelligence firm Digital Shadows recently applied techniques for the Analysis of Competing Hypothesis (ACH) to assess the likelihood of the various competing explanations on offer.
It concluded that either payment system compromise or the cash-out of cloned cards were the two theories that best matched the available facts.

Cash-out of cloned cards would likely have been simpler to execute than payment system compromise, according to Digital Shadows, prompting the firm to lean towards this theory while not ruling out other possibilities. El Reg ran insights from the former Tesco Bank techie past Digital Shadows.
In response, Digital Shadows said that it had seen nothing so far which would suggest security problems at Tesco supermarket was behind the breach before conceding that it was still investigating the breach. Ken Munro, a director at security consultancy Pen Test Partners, described the former Tesco staffer's theory as all too plausible, based on his years of experience in the IT biz rather than any direct knowledge of the supermarket's systems. "So often it's the incidental systems that cause issues," Munro told El Reg. "One builds a secure app, but then has to hook it up to an existing access/authorisation system, or something similar.
I remember a pen test a few years back of a network that was pretty much bulletproof – up to date, pretty well configured, reasonable passwords etc. "Then we found an old fax server that was on the same domain.
It didn't take long to compromise that flaky fax box and from there the domain controller.

All the good work was undone by some failed oversight of one box. "You're probably only as secure as your least secure system," Munro concluded. Tesco Bank provided this statement: "On 5 and 6 November, Tesco Bank was targeted by fraud, which affected 9000 of our customers and cost us £2.5m. "We identified the fraud quickly and communicated immediately with our customers, the Financial Conduct Authority and National Crime Agency.

This remains a criminal investigation. "We refunded each customer account in full and have taken steps to help reassure our customers that they can bank safely and securely at Tesco Bank." ® Sponsored: Customer Identity and Access Management

What went wrong at Tesco Bank?

Internal systems blamed for monster cyber-attack Tesco Bank has enlisted the help of recently established National Cyber Security Centre (NCSC) following the most serious cyber-attack ever launched against a UK bank. The attack against the supermarket giant's banking arm involved the theft of £2.5m from 9,000 customers' accounts, funds that the bank quickly reimbursed.
Initially theft against 20,000 accounts was feared but this figure was revised downwards late on Tuesday night.

At the same time Tesco announced that it was restoring normal service following the suspension of online and contactless transactions from current accounts applied in the immediate wake of the breach last weekend. NCSC is working alongside the National Crime Agency to look into the cyber-attack, which is believed to be the biggest of its kind in the history of British banking. Ian Mann, chief exec of cyber-security service ECSC, said the size of the breach indicates that is it likely either Tesco's internal systems, or their mobile application, have been hacked.

Tesco Bank's method of access for customers is "weak for this type of system", according to Mann. "Username is your email by default, and you only need digits from a numeric PIN.

By requiring limited digits from the PIN on login, they make it virtually impossible to hash (encrypt) the PINs they have stored. This means a compromise of their customer database will reveal all logins and passwords to the attacker." Tesco Bank manages around 136,000 current accounts.
Security pundits have variously blamed credential stuffing, an inside job, and exploitation of a third-party supplier retail partner for the breach. Nigel Hawthorn, chief European spokesperson at Skyhigh Networks, said: "While the details are still patchy, there's no doubt that this was a hugely sophisticated, coordinated and advanced attack – and as recent months have proven, no organisation is immune from similar attacks going forward. With cloud computing, hackers have so many more points of entry, and organisations need to put security in place to guarantee the safety of data, even if it falls into the wrong hands.
In practice, this means putting multiple layers of control around their most sensitive data and closely monitoring access to stop theft on the way out rather than betting on the 'hard shell' approach with a sealed perimeter." Tesco might face a huge fine under the recently revamped EU data protection rules over the breach, according to Hawthorn. "When it comes to data security, the silent spectre of EU General Data Protection Regulation is slowly kicking organisations into action, and incidents such as this will only accelerate this trend," Hawthorn said. "One estimate is that Tesco Bank could be fined nearly £2bn under GDPR rules for this incident.

The bottom line is that data security is no longer simply an issue for the IT department to tackle, and organisations can no longer sit back and ignore it.

The stakes are higher than they have ever been, so when it comes to reviewing your security position, tomorrow may just be too late." ® Sponsored: Customer Identity and Access Management