A UK company, CarPhone Warehouse, was fined £400k (about half a million dollars) for a massive breach basically caused/allowed by ignoring basic security rules that we all should know:
- Use secure, unique passwords (all their servers had the same root password, which was known by 30-40 people)
- Software kept up to date (their WordPress installations were 6 years out of date; other software also years out of date.)
- Although the historical transactions were protected by encryption, the encryption keys were stored in plain text within the application.
“Carphone Warehouse had claimed that the attack was ‘sophisticated’, but in reality the attacker used the Nikto web scanning tool which is freely available and checks for outdated web servers, application software and common configuration errors.”