Following a cyber attack on its system last Wednesday, the British mobile phone company The Carphone Warehouse is now being investigated by the UK’s Information Commissioner’s Office (ICO). The hack, which was successfully masked by the perpetrator with a coordinated DDoS attack – swamping Carphone Warehouse’s system with junk traffic – is believed to have cost the company 2.4 million customers records. More frighteningly yet, it is also believed that 90,000 encrypted credit card details may have been stolen during the data breach.
Cyber criminals use DDoS attacks to swamp systems and make them unusable, causing confusion and rendering systems inoperable. This smokescreen gives the hackers ample opportunity to penetrate the network. Although Carphone Warehouse is part of the bigger Dixons Carphone group, which also includes large British retailers Currys and PC World, a statement from Carphone Warehouse has put rumours to rest about those other businesses’ systems,
‘We and our partners are contacting all those customers who may have been affected to inform them of the breach and to give them advice to reduce any risk and minimise inconvenience. Currys and PCWorld and the vast majority of Carphone Warehouse customer data is held on separate systems and has not been accessed during this incident.’
Carphone Warehouse has also said that it is employing a ‘leading cybersecurity firm’ to figure out ‘exactly what data was affected.’ That firm should also be patching up the rest of Dixons Carphone Group’s networks to avoid further embarrassing and damaging penetrations.
However, Dr Chenxi Wang, who is vice president of cyber security firm CipherCloud, has gone on record with comments that demonstrate a lack of faith in Carphone Warehouse’s opsec. She is watching the situation carefully because of a breach that affected the Talk Talk part of Carphone Warehouse’s systems last year. She feels this new hack may demonstrate that the firm did not do enough to tighten up security since the last,
‘It would demonstrate extreme negligence on their part to have made no real changes to their security postures. This time around, the resulting penalty must have teeth to stop repeat offenders and compel companies to improve the robustness of their security measures.’
The ICO, which has launched an inquiry, is officially warning that whenever vast amounts of personal data are stolen there is always a risk of identity theft. Considering that the data stolen includes names, addresses, dates of birth and bank details: that risk is very real.
If you believe that you may have been affected by the hack the ICO is advising a number of things:
- Notify your credit card company and Bank so that they can monitor your accounts.
- Change the password on your online account.
- Be wary of anyone asking for any of your personal details: this includes passwords, bank details, and any other personal information.
- Visit Experian, Equifax or Noddle to check your credit rating to be sure no one has applied for credit in your name.
The chief executive of Dixons Carphone Group, Sebastian James, has issued an apology to customers and assures everyone that as much as possible is being done to try to mitigate the damage already caused,
‘We are very sorry that people have been affected by this attack on our systems. We are, of course, informing anyone that may have been affected, and have put in place additional security measures.’