Carphone Warehouse admits 2.5M customers' data compromised in hack

Millions of Carphone Warehouse customers are at risk of identity theft after it admitted its systems had been subject to what it called a "sophisticated cyber-attack", which had been discovered last Wednesday.

All told, 2.4 million customers' personal data, including bank details, have been accessed by hackers, as well as a further 90,000 customers' encrypted credit card data.

After confessing that the data breach had taken place, the company stated that over the space of two weeks, several of its brands were affected by the hack, including iD Mobile, TalkTalk Mobile, Talk Mobile, OneStopPhoneShop.com, e2save.com, Mobiles.co.uk, as well as clients of Carphone Warehouse itself.

In a statement emailed to FierceWireless:Europe the company said: "Our investigation has indicated that personal data which may include name, address, date of birth and bank details of up to 2.4 million customers may have been accessed. Encrypted credit card data of up to 90,000 customers may also have been accessed.

"We took immediate action to secure these systems and launched an investigation with a leading cyber security firm to determine exactly what data was affected. We have also put in place additional security measures to prevent further attacks."

However, customers are now up in arms that the business kept the hack quiet for three days. Many have taken to Twitter to vent their dissatisfaction.  

All affected customers are being contacted via email, and a spokesperson told FierceWireless:Europe that Carphone Warehouse is now monitoring bounce backs and other email responses to see which people need to be contacted in other ways via the specific brands they are customers of.

Customers are being advised to contact their banks and credit card providers, and to watch for fraudulent activity, as well as to be suspect of phone calls claiming to be from their banks, although the spokesperson added that customers whose credit card data had been accessed should be protected by their card details' encryption.

Graham Cluley, an independent computer security analyst, advised customers "... to keep a close eye on your bank statements, looking out for unusual purchases."

As to how the hackers gained access to the data, Cluley said: "Potentially the hackers could have exploited a poorly secured website which had been misconfigured or not received appropriate security patches or updates. Another possibility is that the attackers simply managed to trick a member of Carphone Warehouse staff into handing over their own credentials used to access customer databases -- perhaps through a phishing email, although it's important to stress that this is just speculation at this stage."

Sebastian James, group chief executive at Dixons Carphone, the parent company of Carphone Warehouse, said: "We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems. We are, of course, informing anyone that may have been affected, and have put in place additional security measures."

The company claimed that Currys and PCWorld and the vast majority of Carphone Warehouse customer data is held on separate systems and has not been accessed during this incident.

For more:

- see Graham Cluley's blog

Related articles:
MVNO ROK Mobile gets a third carrier partner, likely Verizon, and plans retail expansion
MVNO Europe set up to fight for rights of alternative operators
Hutchison plans fresh assault on Austrian market with Eety
FreedomPop takes its free service model to Europe
Carphone's iD MVNO set to hit Three UK where it hurts