Sainsbury's to Techrights: Yes, Our Web Site Broke Down, But We Cannot Say Which Part or Why
Windows TCO??? NDA to cover that up???
THIS morning, shortly after this 7AM article, I contacted Sainsbury's, including by telephone (as anticipated), and I've just listened again to the conversation I had. At 8:15AM they said someone higher up would phone me back, but it's past 2PM and I'm still waiting. Fair enough, I can wait, as I can imagine they're overwhelmed by media queries following the past weekend's incident.
Shall there be a useful and fruitful follow-up (rather than non-denying fluff), I will either update this post or add a new one. Someone has told me that maybe Sainsbury's etc. are having yet another AD or Sharepoint failure. They claim there was a failed software update, which they aren't specific about. They refuse to say what the actual culprit was.
In the call I presented myself not as a blogger or journalist but as a customer with technical background, who has just published a long article and expressed privacy concerns in case of a breach; I said that I continue to investigate it, as a technical person and as their client/customer, having received an E-mail from their CEO that didn't say much and didn't explain if there was or was no data breach, no ransomware etc. I explained that it's on the public record they suffered security breaches in recent years and, without saying it out loud, it was Windows (I tried not to give too much information but to pull new information).
It has now been about 5 hours and I'm still waiting for the callback. My guess is, someone higher up will listen to the recording and write down talking points before he or she phones me. That's how the managers typically do this, in my experience. So maybe they're still trying to figure out what exactly to tell me. I'm still waiting.
It's rather tempting to deduce that someone from Microsoft (or "partner") or something like Windows Update broke their system and they had no immediate safety net, but evidence will be needed, even if only verbal. They want to keep quiet and they won't just give that away, the right questions need to be asked. So my strategy has been to ask which component was updated (i.e. got broken), as I need to know as a 1) customer 2) hobbyist reporter with a personal stake in the outcome (as per (1)). All customers need to know if not to deduce whether no data breach/es happened. They have a stake in this. If the issue was Windows (e.g. Patch Tuesday and updates applied over the weekend when it's quieter), then it is Microsoft TCO.
I am one of their very first customers (the online delivery system; I was an early adopter). They're aware of this now. My wife too has an account there, but they didn't send her an E-mail to notify her of anything. Weird. How selective are they?
For the time being, based on what I was told over the telephone (long call), it's clear something went wrong and they don't want to talk about it. They just repeat the same lines and don't want to talk about the details; there is even an automated message repeating the face-saving PR before being redirected to an actual human, probably in some remote call centre in Asia based on my experience. They insist there was no data breach, but they seem to have technical deficit, so in the future they will probably lose control of their data. The very choice of Microsoft for all their stacks suggests a lack of in-house computer skills.
I wish I could say more at this point, but it'll be better to wait until a manager phones to elucidate further, or to explain matters in clear words rather than a 'script'. After that I want to explore the complexity of the process wherein a customer makes a demand that they delete all personal (past) data, such as purchasing history, citing the relevant privacy laws in the UK. For sure they'll make this very hard if not nearly impossible. █
