Carphone Warehouse has taken three days to go public about a serious data breach affecting nearly 2.5 million customers – with the confession that up to 90,000 subscribers may have had their credit card info ransacked.
The company said on Saturday afternoon that it had first discovered its systems had been violated by a "sophisticated cyber-attack" on 5 August.
Encrypted credit card data of up to 90,000 customers may have been lifted by malefactors, it added.
Carphone Warehouse said its websites OneStopPhoneShop.com, e2save.com and Mobiles.co.uk had been affected by the attack. Those sites provide services for customers at iD Mobile, TalkTalk Mobile, Talk Mobile and an undisclosed number of Carphone Warehouse customers.
In the past hour, The Register has heard from readers who have only just been informed about the huge data breach.
One such missive from Bobbie Bhogal, managing director Mobiles.co.uk, put the onus on customers to find out if their personal data, including credit card info, had been stolen:
I am writing to you as a precaution after we discovered on the 5th of August that some of our IT systems had been subjected to a sophisticated cyber attack.
We immediately took action to secure these systems and launched a full investigation with a leading cyber security firm to help us understand the impact of this attack. Our investigation is still going on.
At this stage, our investigation indicates that some of the data held on our systems has been accessed and this may include some of your personal details, including your name, address, date of birth and bank details.
We take the security of your data extremely seriously, and we have put in place additional security measures to prevent further attacks. Nevertheless, we felt it was important to let you know as soon as possible.
To reduce the risk of fraudulent activity, we recommend that you consider taking the following steps:
- Notifying your bank and credit card company, so that they can monitor activity on your account
- Checking for suspicious or unexpected online or account activity Be careful of anyone calling asking for personal information, bank details or passwords
- You can check your credit rating to make sure no one has taken out loan and credit in your name. You can do this by visiting Experian or Equifax
- If you think you have been a victim of fraud you should report it to Action Fraud, the UK's national fraud and internet crime reporting centre, on 0300 123 2040.
I appreciate that this is potentially concerning for you and I am very sorry that this attack on us has caused this inconvenience.
Carphone Warehouse said that "the vast majority" of its customers had not been affected by the attack, since that data – along with PCWorld and Currys' subscriber info – was held on separate systems.
“We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems," said Dixons Carphone boss Sebastian James. "We are, of course, informing anyone that may have been affected, and have put in place additional security measures.”
El Reg asked the company whether it had turned itself in to the Information Commissioner's Office. We were also curious to know why it had taken the firm so long to inform its customers of such a serious breach.
A spokesbeing told us that Carphone Warehouse had notified the ICO.
She added, when quizzed, that the company had taken three days to inform customers of the attack because it wanted to first conclude an investigation into exactly how many subscribers had been affected before going public about the monster hack on its system. ®