Carphone Warehouse coughs to MONSTER data breach – 2.4 MEELLION Brits at risk

Credit card info of 90,000 users may have been nicked


Carphone Warehouse has taken three days to go public about a serious data breach affecting nearly 2.5 million customers – with the confession that up to 90,000 subscribers may have had their credit card info ransacked.

The company said on Saturday afternoon that it had first discovered its systems had been violated by a "sophisticated cyber-attack" on 5 August.

Encrypted credit card data of up to 90,000 customers may have been lifted by malefactors, it added.

Carphone Warehouse said its websites OneStopPhoneShop.com, e2save.com and Mobiles.co.uk had been affected by the attack. Those sites provide services for customers at iD Mobile, TalkTalk Mobile, Talk Mobile and an undisclosed number of Carphone Warehouse customers.

In the past hour, The Register has heard from readers who have only just been informed about the huge data breach.

One such missive from Bobbie Bhogal, managing director Mobiles.co.uk, put the onus on customers to find out if their personal data, including credit card info, had been stolen:

I am writing to you as a precaution after we discovered on the 5th of August that some of our IT systems had been subjected to a sophisticated cyber attack.

We immediately took action to secure these systems and launched a full investigation with a leading cyber security firm to help us understand the impact of this attack. Our investigation is still going on.

At this stage, our investigation indicates that some of the data held on our systems has been accessed and this may include some of your personal details, including your name, address, date of birth and bank details.

We take the security of your data extremely seriously, and we have put in place additional security measures to prevent further attacks. Nevertheless, we felt it was important to let you know as soon as possible.

To reduce the risk of fraudulent activity, we recommend that you consider taking the following steps:

  • Notifying your bank and credit card company, so that they can monitor activity on your account
  • Checking for suspicious or unexpected online or account activity Be careful of anyone calling asking for personal information, bank details or passwords
  • You can check your credit rating to make sure no one has taken out loan and credit in your name. You can do this by visiting Experian or Equifax
  • If you think you have been a victim of fraud you should report it to Action Fraud, the UK's national fraud and internet crime reporting centre, on 0300 123 2040.

I appreciate that this is potentially concerning for you and I am very sorry that this attack on us has caused this inconvenience.

Carphone Warehouse said that "the vast majority" of its customers had not been affected by the attack, since that data – along with PCWorld and Currys' subscriber info – was held on separate systems.

“We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems," said Dixons Carphone boss Sebastian James. "We are, of course, informing anyone that may have been affected, and have put in place additional security measures.”

El Reg asked the company whether it had turned itself in to the Information Commissioner's Office. We were also curious to know why it had taken the firm so long to inform its customers of such a serious breach.

A spokesbeing told us that Carphone Warehouse had notified the ICO.

She added, when quizzed, that the company had taken three days to inform customers of the attack because it wanted to first conclude an investigation into exactly how many subscribers had been affected before going public about the monster hack on its system. ®


Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading

Biting the hand that feeds IT © 1998–2022