BreachExchange mailing list archives
Carphone Warehouse in customer data breach
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 10 Aug 2015 18:35:28 -0600
http://www.bbc.com/news/uk-33835185 Personal details of up to 2.4 million Carphone Warehouse customers may have been accessed in a cyber-attack, the mobile phone retailer says. Up to 90,000 customers may also have had their encrypted credit card details accessed, it said in a statement. While the "vast majority" of Carphone Warehouse customers are unaffected, the breach does concern some of the company's separately managed divisions. The retailer's owner, Dixons Carphone, said it was very sorry for the attack. The affected part of the company operates the OneStopPhoneShop.com, e2save.com and Mobiles.co.uk websites. It also provides services to iD Mobile, TalkTalk Mobile, Talk Mobile and some Carphone Warehouse customers. Sebastian James, chief executive of Dixons Carphone, said: "We are, of course, informing anyone that may have been affected, and have put in place additional security measures. "We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems." Carphone Warehouse said it was informing all customers who may have been affected of the breach. It will also advise affected individuals on how to reduce the risk of further consequences arising from the data leak. What can those affected do? - Notify your bank and credit card company, so they can monitor activity on your account - Change your password for your online account - Check your account for any suspicious or unexpected activity - Be wary of anyone calling asking for personal information, bank details or passwords - Visit Experian, Equifax or Noddle to check your credit rating to make sure no one has applied for credit in your name Those who think they have been the victim of fraud should contact Action Fraudon 0300 123 2040. Craig Gee-Clough, from Bolton, told the BBC he has been contacted by mobiles.co.uk about the breach via letter. "I can't contact the bank until after the weekend so am worried about what offences can be committed. Fraudsters can do anything with that information." He said he is also unhappy about now having to pay to check his credit files. The company's investigation found that the data could have included names, addresses, dates of birth and bank details. A Carphone Warehouse spokesman said the attack was stopped "straight away" after it was discovered on Wednesday afternoon. He also said the breach was likely to have occurred at some point "within the last two weeks before Wednesday afternoon". The BBC's Joe Lynam says Carphone Warehouse first became aware of the problem on 5 August. "In that time, 72 hours, they will say we need to find the depth of the breach, but let's say some people do have their cards compromised," he said. "They will be livid that they weren't told straight away, so they could cancel those cards." Talk Talk used to be owned by Carphone Warehouse but is a separate company - Carphone Warehouse now has contractual ties to it. But 480,000 Talk Talk Mobile customers are affected by this breach. Talk Talk later said on Twitter that a "very small number" of customer passwords accessed in the breach may not have been encrypted, but that the relevant online accounts had been blocked until those passwords are reset. Carphone Warehouse took the affected websites down itself, to protect data once the problem was recognised. Customer information for Currys and PC World - and the "vast majority" of Carphone Warehouse - is held on separate systems and was not accessed during the attack, the company added. The Information Commissioner's Office, which is the regulator in the area of personal data, can impose fines of up to £500,000 if a company is found to have not done enough to protect its customers' personal information. Dixons Carphone was formed last year by the merger of Carphone Warehouse and Dixons Retail. In July it reported a 21% jump in profits in its first annual results since the merger that created the mobile phone and electrical goods firm. In the UK and Ireland, where it trades under the Carphone Warehouse, Currys and PC World names, sales rose by 8%.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Carphone Warehouse in customer data breach Audrey McNeil (Aug 17)