On Saturday Carphone Warehouse (CW) announced that the names, addresses, dates of birth and bank details of up to 2.4 million customers may have been accessed in a cyber-attack discovered on Wednesday, believed to have occurred during the two weeks prior.
Encrypted credit card details of up to 90,000 people may have been accessed.
Check Point's technical director, Thierry Karsenti, emailed SC to warn that the stolen data is likely to be used as bait for targeted phishing attacks against customers, especially in emails claiming to be from Carphone Warehouse or one of its subsidiaries.
Karsenti said: “Armed with the data they already have, attackers are likely to try and trick those affected by the breach into revealing further details, such as account numbers and passwords.
“For the attackers, it's just a numbers game, but it could have serious consequences for customers. Phishing emails continue to be the most common source for social engineering attacks, so customers should be suspicious of any emails, or even phone calls, that relate to the breach, and should not give away more information.”
Carphone Warehouse is clearly aware of the danger and on Saturday sent an email to customers telling them to notify their bank and credit card company, so they can monitor account activity, as well as advising them to change the password for their online accounts. They also advised checking credit rating on Experian, Equifax or Noddle to ensure they have not been made a victim of fraud. Some commentators suggest the details where obtained, will already have been sold on.
Staff at Haymarket were among those affected. After receiving warning emails from Carphone Warehouse, at 3pm and 9pm on Saturday, one member told SC how they rang their bank, and were immediately asked whether their password for the bank was the same as for the phone contract – as the password would have needed to be changed had that been the case. Plus they were advised to keep an eye out for any unusual transactions on their account, clearly concerned that identity theft may be attempted. They were also advised to contact Action Fraud, the UK's national fraud and internet crime reporting centre, if they were concerned they might be a victim of fraud.
However, both the Information Commissioner's Office (ICO) and The Metropolitan Police Cyber Crime Unit have reported being aware of the attack and the ICO is investigating the issue while the Met says no reports of related fraud have yet been made.
Sebastian James, chief executive of Dixons Carphone, was reported by the Guardian newspaper as saying: “We take the security of customer data extremely seriously, and we are very sorry people have been affected by this attack. We are, of course, informing anyone that may have been affected, and have put in place additional security measures.”
In an email to SCMagazineUK.com data security expert Jason du Preez, CEO of Privitar said: “This data breach is yet another high-profile reminder that it is impossible for companies to protect their customer's data with traditional perimeter security.
“Companies need to embrace the irrefutable fact that the way they manage and process data will have a direct impact on brand and customer loyalty. Embracing a data-centric approach to security and a process that ensures no sensitive data is visible in any given process – privacy-by-default – will enable organisations to confidently use consumer's precious data safely.”
“Most organisations have entirely valid reasons for wanting customer data. It allows them to provide the personalised, relevant product and services consumers demand. But there's no reason, from a technical point of view, even financial data can't be anonymised to protect both the individual and the organisation itself.”
Carphone Warehouse says the hack was stopped "straight away" after it was discovered on Wednesday afternoon, and that the company has launched a forensic investigation with a ‘leading cyber security firm'.
Carphone Warehouse is responsible for the websites of OneStopPhoneShop.com, e2save.com and Mobiles.co.uk, as well as services for its own recently launched iD Mobile network, as well as TalkTalk Mobile, and Talk Mobile. About 1.9 million of those affected are reportedly directly signed up to Carphone Warehouse, while about 480,000 are customers of TalkTalk Mobile, whose registration process is handled by Carphone Warehouse.
Phil Barnett, EMEA VP and GM of Good Technology, noted in an email that: “Many companies are still flying blind when it comes to security, because 60 per cent think it doesn't affect them. The truth is that it's not just a conversation for banks or governments anymore - anyone and everyone is a potential victim of hacks and data leaks. Data is a company's biggest asset, but many organisations haven't yet got to grips with how to protect it in the new world order of mobile devices and cloud-based access. The security challenge won't go away and companies need to change their mindset in order to solve it.”
Keith Poyser, GM EMEA at Accellion, agrees, commenting: "While the details of the recent Carphone Warehouse security breach are still materialising, it nevertheless reinforces the fact that enterprises need to take cyber-security and data leak prevention more seriously. This is a technology issue, training issue, process issue, corporate governance issue and on and on. To mitigate the risk of a breach, cyber-security ultimately has to become a part of an enterprise's culture and it must touch every segment of that enterprise. The good news is there are a number of steps organisations can take to lessen the chances of a cyber-attack.”
In an email to SC, Andrew Avanessian ,VP at endpoint security company Avecto suggests some of the ways in how these attacks can be planned for and prevented, saying: “It's likely that the retailer's detection mechanisms simply didn't flag the attack until it was too late.
“While it's too early to start pointing the finger at other root causes, time and time again these kinds of attacks often stem from the exploitation of innocent employees through privilege abuse – where a hacker will find their way onto the corporate network and once there seek out employees with admin privileges, creating an open door to sensitive business information.
“It's important therefore to stress that prevention is possible. Business can and should limit their exposure to this risk by adopting a least privilege approach to user access. Business should prepare for when they are targeted, not if, and taking control of who has access to what is the obvious starting point. This approach is complemented by tight control of applications and the mitigation of internet borne malware through sandboxing, creating multiple layers of defence to prevent and protect against these kinds of threats.
John Smith, Principal Solution Architect at application security specialist Veracode, notes how the breach: “... highlights the challenges that organisations face when handling personal data, and further reinforces the need for strategic and systematic thinking when approaching the security of that data.
“CEO of Dixons Carphone, Sebastian James confirmed that the company has since put in place added security measures to immediately deal with the problem. This is a costly trend, and across the UK this accounts for an increased annual IT spend of up to almost £16 billion, according to research by the Centre for Economics and Business Research. Whilst a positive response following a cyber-attack, it is important that businesses don't wait to be hacked before putting the appropriate security measures in place. Businesses need to take a broader, more strategic approach to cyber security to ensure the safe guarding of their customers' data.”
Klaus Gheri, VP and GM of Network Security at Barracuda Networks concurs saying in an email to SC: "This latest breach shows that most organisations are not doing enough to keep data safe. More than ever, security needs to be intelligent, scalable, and always available wherever end users happen to work, be it in the workplace, on a laptop or mobile device.”
Ken Odeluga, a senior market analyst at www.cityindex.co.uk is sanguine about the immediate impact on the company and suggests that unless further details emerge which are damaging: “...the impact from the breach is containable. The impact on CW shares will probably be negligible and the financial fallout I suspect will be zero.
"Whilst unfortunate, breaches such are these remain relatively rare and only a tiny fraction, if any, of the individuals exposed seldom can be expected to suffer any further harm at all, apart from a temporary loss of privacy.
CW did not publicise the breach immediately after discovery, and that has opened it up for some criticism. However, CW undoubtedly followed best practice for remedial measures to the letter, which helps explain why securing the breach before publicising may have taken priority.”
There have been many complaints from customers on Twitter including criticism of the three day delay in informing customers (which the company says was due to trying to assess how many were affected). However, as well as any lost revenue while services are not running fully, remediation costs, and any immediate share price fall, potentially the biggest impact - if customers are subsequently found to incur financial loss - will include lost reputation including both potentially lost future customers and credibility to achieve the company's ambition to become a leader in the “internet of things.”
Another concern for the future will be regulatory fines, as Luke Brown, vice president and GM, Europe Middle East Africa India & Latam at Digital Guardian notes: "With the implementation of the General Data Protection Regulation on the horizon and potentially ruinous fines levied against this kind of breach in the near future, businesses need to wake up to the fact that a more date-centric approach to security is the only way to effectively protect against this kind of breach in the future. The days of perimeter based security are numbered and with trust being the most important factor in any customer/business relationship, why wait until it has been irreparably damaged before switching to a data security protocol that is able to protect against the security threats of today, not yesterday.”