Admits 2.5 million customers’ data compromised in hack
Carphone Warehouse has stated that millions of its customers are at risk of identity theft after it its systems were subject to what it called a “sophisticated cyber-attack”.
Discovered last Wednesday, 2.4 million customers’ personal data, including bank details, have been accessed by hackers, as well as a further 90,000 customers’ encrypted credit card data.
After confessing on Saturday that the data breach had taken place, the company stated that over the space of two weeks several of its brands were affected by the hack, including iD Mobile, TalkTalk Mobile, Talk Mobile, OneStopPhoneShop.com, e2save.com, Mobiles.co.uk, as well as clients of Carphone Warehouse itself.
In a statement the company said: “Our investigation has indicated that personal data which may include name, address, date of birth and bank details of up to 2.4 million customers may have been accessed. Encrypted credit card data of up to 90,000 customers may also have been accessed.
“We took immediate action to secure these systems and launched an investigation with a leading cyber security firm to determine exactly what data was affected. We have also put in place additional security measures to prevent further attacks.”
However, customers are now up in arms that the business kept the hack quiet for three days. Many have taken to Twitter to vent their dissatisfaction.
All affected customers are being contacted via email, and a spokesperson from the PR firm engaged to deal with the issue said that Carphone Warehouse is now monitoring bouncebacks and other email responses to see which people need to be contacted in other ways via the specific brands they are customers of.
Customers are being advised to contact their banks and credit card providers, and to watch for fraudulent activity, as well as to be suspect of phone calls claiming to be from their banks, although the PR spokesperson added that even for the 90,000 customers whose credit card data had been accessed, as it was encrypted it should be protected.
Graham Cluley, an independent computer security analyst, commented on his blog that his advice in this situation is “… to keep a close eye on your bank statements, looking out for unusual purchases.”
As to how the hackers gained access to the data, Cluley said: “Potentially the hackers could have exploited a poorly secured website which had been misconfigured or not received appropriate security patches or updates. Another possibility is that the attackers simply managed to trick a member of Carphone Warehouse staff into handing over their own credentials used to access customer databases – perhaps through a phishing email, although it’s important to stress that this is just speculation at this stage.”
Sebastian James, group chief executive at parent company of Carphone Warehouse, Dixons Carphone, said: “We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems. We are, of course, informing anyone that may have been affected, and have put in place additional security measures.”
The company claimed that Currys and PCWorld and the vast majority of Carphone Warehouse customer data is held on separate systems and has not been accessed during this incident.
