Monday, August 10, 2015

Carphone Warehouse: 2.4 Million Customer Passwords Have Been Pinched

Firm says that it nipped breach in the bud

Mobile Phone Seller Carphone Warehouse has joined the chorus of companies with a confession to make, and has revealed that some of its customers need to change their passwords. The firm, like so many of its peers, has had a patch of passwords pickled by some pesky people. Now known as Dixons Carphone/Carphone Warehouse, the company said in a statement that it acted quickly once it discovered the attack and did its best remediation work. It has even released a FAQ.

"On 5 August we discovered that the IT systems of a division of Carphone Warehouse in the UK had been breached by a sophisticated cyber-attack," said a spokesperson.

The INQUIRER report continues:
"This division operates the websites OneStopPhoneShop.com, e2save.com and Mobiles.co.uk and provides a number of services to iD Mobile, TalkTalk Mobile, Talk Mobile, and to certain customers of Carphone Warehouse.

"We took immediate action to secure these systems and launched an investigation with a leading cyber security firm to determine exactly what data was affected. We have also put in place additional security measures to prevent further attacks."

"Additional security measures" sounds like a reassuring thing for customers to hear. And it is possible that the 2.4 million people who have had their name, address, date of birth and bank details exposed to the hackers, or the 90,000 who Carhose Workhouse said may have lost encrypted credit card data, will take some solace from the additions.

Charlie Carthorse said that the company and a collection of partners are contacting customers who "might have been affected" and offering them advice. Anyone who shops in Currys and PC World, which are part of the same company, can chill. Their data doodahs are safe and sound and kept on separate systems.

Here comes the apology bit. "We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems," said Sebastian James, group chief executive of Dixons Carphone. "We are, of course, informing anyone that may have been affected."

The security industry has turned its attention to the incident and the announcement, and has not been particularly complimentary.

"Many companies are still flying blind when it comes to security, because 60 per cent think it doesn't affect them. The truth is that it's not just a conversation for banks or governments anymore - anyone and everyone is a potential victim of hacks and data leaks," said Phil Barnett, EMEA VP and GM of Good Technology.

"Data is a company's biggest asset, but many organizations haven't yet got to grips with how to protect it in the new world order of mobile devices and cloud-based access. The security challenge won't go away and companies need to change their mindset in order to solve it."

Mike Spykerman, VP at security software firm Opswat, suggested that companies must assume that they will get attacked and make sure they have the best possible tools in place.
"The reality is that data breaches are no longer a question of if, but when. At least some of the information at Carphone Warehouse was encrypted, but still a lot of personal data was not. Data breaches often start with a spear phishing attack that evades detection from regular spam filters and single anti-virus engines," he said.

"By using multiple anti-virus engines, the possibility that a spear phishing attack is detected is considerably higher."
We say that if you used log-in information for Carphone Warehouse on any other site then you really ought to be out there changing your passwords.

No comments: