The latest corporate victim of a damaging cyber-attack is well known UK mobile phone company Carphone Warehouse (owned by Dixons Carphone). Personal details of up to 2.4 million customers have been accessed, including: names, addresses, dates of birth and bank details. In addition, the phone company revealed that the encrypted credit card details of up to 90,000 may have been stolen.
The hacked IT division also reportedly operates websites OneStopPhoneShop.com, e2save.com and Mobiles.co.uk, as well as providing services to TalkTalk Mobile, Talk Mobile and to the newly launched iD mobile network.
Increasingly we are seeing focused attacks on UK firms after a cyber-onslaught in America and this represents one of the biggest we have seen in the UK over the last few years.
For any business holding personal data, up to date and sophisticated antivirus software as well as intrusion detection systems need to be maintained and regularly reviewed to detect flaws. We also need to remember that constant user training needs to be kept up to date as often unfortunately the weakest link is the human element in these systems.
For Carphone Warehouse, trying to maintain trust of its customers and allay fears about ID loss will be hard after this, where comments like the following are going viral (BBC news website):
- “Firms like Carphone Warehouse need to be held accountable for security breaches”
- “As a Talkmobile customer, I have just visited the Carphone Warehouse and Talkmobile websites to find out more. Guess what? I could find absolutely no mention of this on either website! It seems like they are trying to sweep this under the carpet. Not good enough – and we should have been told when it happened”.
With the value of ID going from £5-£10 for a set of credit card details to £20+ for a full set of personal details, this sort of security breach gets the tills ringing on the blackmarket, enabling criminals to
re-register and create false identities with corporate bodies or use victims’ details to take out loans for example.
If a customer believes they are affected by such a breach there are a few things they can do:
◾ Notify their bank and credit card company, so they can monitor activity on their account.
◾ Change passwords for an online account.
◾ Check accounts for any suspicious or unexpected activity.
◾ Be very, very wary about giving out personal information, bank details or passwords.
◾ Use credit check agencies like Experian or Equifax to check your credit rating to make sure no one has applied for credit in your name (although this means the victims are also being financially punished by needing to spend up to £15 per month just to keep an eye on their credit score).
Any delay in telling customers bad news only allows leaches and rumours to dominate in the press and this kills any positive steps Carphone Warehouse may have taken to stamp on, or curtail the fallout.
Carphone Warehouse did make moves to tell some people news of the breach, namely the Information Commissioner’s Office and the Met Police’s ‘Cyber Crime Unit’, although no formal allegation of a crime had been made and the Met had no reports of any fraudulent banking activity. But it looks to have been too slow to warn those affected who it should have contacted as a priority – and this might be their commercial undoing next time a mobile phone contract is up for renewal.