On Saturday Carphone Warehouse (CW) announced that the names, addresses, dates of birth and bank details of up to 2.4 million customers may have been accessed in a cyber-attack discovered on Wednesday, believed to have occurred during the two weeks prior.
Encrypted credit card details of up to 90,000 people may have been accessed.
Check Point's technical director, Thierry Karsenti, emailed SC to warn that the stolen data is likely to be used as bait for targeted phishing attacks against customers, especially in emails claiming to be from Carphone Warehouse or one of its subsidiaries.
Karsenti said: “Armed with the data they already have, attackers are likely to try and trick those affected by the breach into revealing further details, such as account numbers and passwords.
“For the attackers, it's just a numbers game, but it could have serious consequences for customers. Phishing emails continue to be the most common source for social engineering attacks, so customers should be suspicious of any emails, or even phone calls, that relate to the breach, and should not give away more information.”
Carphone Warehouse is clearly aware of the danger and on Saturday sent an email to customers telling them to notify their bank and credit card company, so they can monitor account activity, as well as advising them to change the password for their online accounts. They also advised checking credit rating on Experian, Equifax or Noddle to ensure they have not been made a victim of fraud. Some commentators suggest the details where obtained, will already have been sold on.
Staff at Haymarket were among those affected. After receiving warning emails from Carphone Warehouse, at 3pm and 9pm on Saturday, one member told SC how they rang their bank, and were immediately asked whether their password for the bank was the same as for the phone contract – as the password would have needed to be changed had that been the case. Plus they were advised to keep an eye out for any unusual transactions on their account, clearly concerned that identity theft may be attempted. They were also advised to contact Action Fraud, the UK's national fraud and internet crime reporting centre, if they were concerned they might be a victim of fraud.
However, both the Information Commissioner's Office (ICO) and The Metropolitan Police Cyber Crime Unit have reported being aware of the attack and the ICO is investigating the issue while the Met says no reports of related fraud have yet been made.
Sebastian James, chief executive of Dixons Carphone, was reported by the Guardian newspaper as saying: “We take the security of customer data extremely seriously, and we are very sorry people have been affected by this attack. We are, of course, informing anyone that may have been affected, and have put in place additional security measures.”
In an email to SCMagazineUK.com data security expert Jason du Preez, CEO of Privitar said: “This data breach is yet another high-profile reminder that it is impossible for companies to protect their customer's data with traditional perimeter security.
“Companies need to embrace the irrefutable fact that the way they manage and process data will have a direct impact on brand and customer loyalty. Embracing a data-centric approach to security and a process that ensures no sensitive data is visible in any given process – privacy-by-default – will enable organisations to confidently use consumer's precious data safely.”
“Most organisations have entirely valid reasons for wanting customer data. It allows them to provide the personalised, relevant product and services consumers demand. But there's no reason, from a technical point of view, even financial data can't be anonymised to protect both the individual and the organisation itself.”
Carphone Warehouse says the hack was stopped "straight away" after it was discovered on Wednesday afternoon, and that the company has launched a forensic investigation with a ‘leading cyber security firm'.
Carphone Warehouse is responsible for the websites of OneStopPhoneShop.com, e2save.com and Mobiles.co.uk, as well as services for its own recently launched iD Mobile network, as well as TalkTalk Mobile, and Talk Mobile. About 1.9 million of those affected are reportedly directly signed up to Carphone Warehouse, while about 480,000 are customers of TalkTalk Mobile, whose registration process is handled by Carphone Warehouse.
Phil Barnett, EMEA VP and GM of Good Technology, noted in an email that: “Many companies are still flying blind when it comes to security, because 60 per cent think it doesn't affect them. The truth is that it's not just a conversation for banks or governments anymore - anyone and everyone is a potential victim of hacks and data leaks. Data is a company's biggest asset, but many organisations haven't yet got to grips with how to protect it in the new world order of mobile devices and cloud-based access. The security challenge won't go away and companies need to change their mindset in order to solve it.”