View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Fresh Embarrassment for Dixons Carphone Warehouse after HTTP Howler

Months after massive data breach, company still serving insecure website

By CBR Staff Writer

In another blunder by Dixons Carphone Warehouse, the recently hacked retailer – which claims to have been “working intensively with leading cyber security experts” – was exposed today as still serving up an insecure HTTP corporate website.

The revelation comes two months after the company revealed a massive 2017 hack. This week on Tuesday it admitted this had exposed 10 million records of its customers’ personal data, rather than the 1.2 million first thought.

“Advised Against Using Secure Site”

Unlike the superior HTTPS – which encrypts information passing between a device and a website – HTTP is susceptible to information being intercepted by a malicious third party. (Since July Google has marked websites “insecure” if they don’t use HTTPS).

In an exchange on Twitter, Information Security Consultant Paul Moore raised the issue of the insecure site with Carphone Warehouse’s “KnowHow” support team, only to initially be told that he should simply drop the “S” from the url he was typing.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

Dixons Carphone Warehouse Purchased a Valid Certificate Yesterday

He told Computer Business Review: “HTTPS was enabled, but it had the wrong certificate and wouldn’t load unless you accepted the security warning. They purchased a valid certificate yesterday, after I contacted them.”

“I wouldn’t expect the social team to fully understand the issue, however they said it had been escalated to IT security specialists who couldn’t see a problem!”

“They actually advised against using the ‘secure’ version because it wasn’t implemented properly… then claimed they didn’t collect any user info. I immediately found a page which collects data, to be told that entering info was optional.”

Dixons Carphone Warehouse

Tough month for Dixons Carphone Warehouse (and its customers)

“Slightly Embarrassing”

He added: “The footer on said page claimed they’ll handle that data appropriately & securely… The majority of their other sites have TLS deployed properly, so this appears to be an isolated incident. In light of recent events, it’s slightly embarrassing.”

Web security expert and founder of haveibeenpwned.com, Troy Hunt, told Computer Business Review: “It’s rather alarming that even after major security incidents, one of the simplest, most fundamental security controls is missing from Dixons and it’s such a foreign concept that it confused their support staff!”

Dixons Carphone Warehouse has been contacted for comment.

An earlier 2015 hack of an insecure WordPress website that resulted in another data breach saw Dixons Carphone Warehouse hit with a £400,000 fine by the ICO.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU