Carphone Warehouse breach: Guidance
Written by staff reporter
Carphone Warehouse customers are being warned that their personal data may have been breached in an apparently sophisticated cyber attack. The high street and online communications giant discovered last Wednesday that the IT systems of one of its divisions were hacked into, yet only made the breach public three days later, on Saturday.
GetSafeOnline is urging customers of the company as well as those of e2save.com, OneStopPhoneShop.co.uk, Mobiles.co.uk, TalkTalk Mobile or iD to change their passwords immediately – along with passwords on other accounts for which they use the same login details.
In a statement on Saturday, Carphone Warehouse said an internal investigation has indicated that personal data which may include name, address, date of birth and bank details of up to 2.4 million customers may have been accessed. Encrypted credit card data of up to 90,000 customers may also have been accessed, it said. "We and our partners are contacting all those customers who may have been affected to inform them of the breach and to give them advice to reduce any risk and minimise inconvenience," Carphone continued in its statement. "Currys and PCWorld and the vast majority of Carphone Warehouse customer data is held on separate systems and has not been accessed during this incident."
The company is investigating how criminals succeeded in the breach affected TalkTalk mobile customers. The Metropolitan Police and Information Commissioners Office have also been notified.
Sebastian James, CEO of the firm’s parent Dixons Carphone, said: “We take the security of customer data extremely seriously, and we are very sorry people have been affected by this attack. We are, of course, informing anyone that may have been affected, and have put in place additional security measures.”
Currys and PC World customer data, along with that of the “the vast majority” of Carphone Warehouse customers, had not been affected at it was held on separate systems, according to the company.
Tony Neate, CEO, Get Safe Online, commented, "This news is hugely concerning for Carphone Warehouse customers. With the stolen data potentially including names, addresses and dates of birth, hackers could also gain access to your other online accounts if you are using any of this information for your passwords. If this is you, now is the time to give your passwords an overhaul – think of something unpredictable and different for every account. Carphone Warehouse is said to be getting in touch with customers who need to notify their bank and credit card company, but don't be fooled by emails or phone calls pretending to be them. There will always be more cyber criminals looking to exploit the situation and trick you into sharing information a legitimate company would never ask for."
Commenting on this the latest in a string of high profile cyber breaches, Paul Stokes, COO of Wynyard Group, said, “This attack is another warning that even the largest and most complex systems can be exposed to cyber breaches. Businesses need to wake up to the fact that cyber-criminals’ sophisticated practices have rendered traditional perimeter defences, including proxy, firewall, VPN, antivirus and malware tools, inadequate to protect against attacks. To effectively protect themselves against this kind of breeches in the future, businesses need to adopt a new approach to cyber security – one that takes advantage of big data and smart algorithms to allow them to detect small anomalies before they become big problems.
“With mathematical machine learning and anomaly-detection capability, new information-driven cyber intelligence tools are designed to allow businesses to identify previously unknown, security-relevant patterns in an ongoing and timely manner. This helps businesses identify high-risk cyber threats and vulnerable areas early on in order to manage them more effectively.”
GetSafeOnline advice for Carphone Warehouse, e2save.com, OneStopPhoneShop.co.uk, Mobiles.co.uk, TalkTalk Mobile or iD customers
•Notify your bank and credit card company, so they can monitor activity on your account
•Change your password for your online account and – if you use the same login details for other accounts – on those too.
•Check your bank and other online accounts for any suspicious or unexpected activity.
•Be wary of phone calls, emails or other communications asking for personal information, bank details or passwords.
•Visit a credit checking service to review your credit rating to make sure nobody has applied for credit in your name.