A major online security breach at Carphone Warehouse could have left the personal details of 2.4 million customers exposed to unknown hackers.
A spokesman told The Guardian a web security firm is now “crawling all over our systems” and the Information Commissioner’s Office is investigating the breach.
MPs on the Treasury Select Committee could demand a session with company bosses to answer questions, according to the Daily Mail. But what should worried customers do?
Who was affected by the breach?
The attack was directed at a division of the company which operates OneStopPhoneShop.co.uk, e2save.com and Mobiles.co.uk, so if you have an account through one of these websites you may be affected. This part of the company also provides services to TalkTalk Mobile, Talk Mobile and Carphone Warehouse’s own recently launched ‘iD’ mobile network.
It says it has already written to customers whose details may have been compromised and has issued assurances that anyone who has made purchases or opened accounts with its other brands, accounting for the “vast majority” of customer data held, are completely secure. Other subsidiaries of parent company Dixons Carphone, including Currys and PC World, are also unaffected.
What data may have been accessed?
The Financial Times says the details of around 1.9m direct customers, and 480,000 through TalkTalk, could have been accessed, including personal information such as names, addresses and date of birth, and bank details. Credit card details of around 90,000 may also have been exposed, but The Guardian says this information was “stored in an encrypted form”.
What action has the company taken?
Carphone Warehouse said the hack, which took place over a couple of days, was stopped “straight away” following its detection and websites temporarily taken down, says the Mail. A web security firm that specialises in cyber attacks has trawled the systems and the company now says they are safe.
Having detected the attacks on Wednesday it began writing to customers on Saturday to inform them of the breach and give advice on what to do, which has led to criticism over why it did not let people know immediately. The Information Commissioner’s Office is now investigating and has the power to fine the company £500,000.
The FT says Scotland Yard is “aware” of the incident, but has not received a crime report, and the National Crime Agency would not confirm if it was investigating.
What action should I take?
Customers who believe they may have been affected are being advised to change their passwords and check for suspicious activity on their bank and credit card accounts. If fraud is suspected, you are advised to contact Action Fraud, the UK’s national fraud and internet crime reporting centre.
Is this incident unique?
Unfortunately not – far from it. With the rapid growth in recent years of ‘ecommerce’, web-based portals are now a common target for increasingly sophisticated criminals. In the past the likes of Sony’s PlayStation Network have been hacked, while the FT also cites previous attacks on US health insurer Anthem and US retailer Target.
General advice to customers is to ensure passwords are not closely related to the sort of personal data commonly held, such as date of birth, to prevent any minor security breach giving access to more sensitive accounts. Passwords should involve an element of encryption, such as numerical digits in place of letters, and be changed frequently.