Data of 2.4 million UK customers hacked – but what do the pros think about this very public, and costly, data breach?
A huge cyber attack targeting Carphone Warehouse made front page news over the weekend, with the personal details of up to 2.4 million UK customers compromised.
Revealed by the mobile phone retailer’s parent company, Dixons Carphone, the ‘sophisticated cyber-attack’ has not only put customer data such as addresses, date of birth and names at risk, but encrypted credit card data of up to 90,000 customers may have also been accessed.
The IT division which was hacked operates not only the Carphone Warehouse website, but also OneStopPhoneShop.com, e2save.com and Mobiles.co.uk and provides a number of services to iD Mobile, TalkTalk Mobile, Talk Mobile, and to certain customers of Carphone Warehouse.
Promising to contact all customers who may have been affected, Sebastian James, Group Chief Executive of Dixons Carphone, said:
"We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems. We are, of course, informing anyone that may have been affected, and have put in place additional security measures."
The implications of this very public data breach are far reaching, but what do security pros think about it? CBR asked the experts for their take on the data breach, what we might see in the wake of the attack and what other companies can learn.
1. Take a long hard look at yourself, Carphone Warehouse
Luke Brown, Vice President & GM, Europe Middle East Africa India & Latam at Digital Guardian, said:
"2.4 million is a big number. When this is how many customers have been affected by a data breach, you’ve got to take a good hard look at existing security measures and question if they are even remotely adequate for the task at hand. Carphone Warehouse claims ‘only’ 90,000 sets of credit card details were accessed.
"But while a credit card can be cancelled (at much inconvenience to the cardholders affected), it’s a lot more difficult to change a name, address or date of birth. Sadly this is the issue facing the full 2.4 million customers whose personal details are now in the hands of criminals likely to use this information for phishing and fraudulent activities.
With the implementation of the General Data Protection Regulation on the horizon and potentially ruinous fines levied against this kind of breach in the near future, businesses need to wake up to the fact that a more date-centric approach to security is the only way to effectively protect against this kind of breach in the future.
"The days of perimeter based security are numbered and with trust being the most important factor in any customer/business relationship, why wait until it has been irreparably damaged before switching to a data security protocol that is able to protect against the security threats of today, not yesterday."
2. What took so long?
Charles Sweeney, CEO at Bloxx, said:
"We’ve seen many big brands face serious criticism over their apparent lethargy in the face of a cyber-attack, eBay being the most obvious. Of course companies need to understand the scope of the attack, but this exercise needs to be undertaken rapidly so that consumers can be engaged and supported in a timely way. How a brand handles a breach is the difference between retaining and losing customers. I think most would argue 72 hours is too long.
"Any concerned individuals should change their passwords across all of their online accounts and check their bank account activity asap."
3. Get ready for a spot of phishing
Klaus Gheri, VP and GM of Network Security at Barracuda Networks, said:
"With email addresses compromised as a result of the Carphone Warehouse breach, organisations and individuals must stay vigilant to the potential for spear phishing attacks. Having access to the email addresses could allow the hackers to build a detailed profile of their target and create a very specific attack.
"After building the profile the attack is likely to come from a ‘trusted source’ and this makes the chances of a successful attack considerably higher. As well as putting security systems in place, businesses, employees and consumers alike need to remain vigilant and question any unexpected email, with an attachment that arrives in their inbox."
4. Learn from this – most are still flying blind
Phil Barnett, EMEA VP and GM of Good Technology, said:
"Many companies are still flying blind when it comes to security, because 60 per cent think it doesn’t affect them. The truth is that it’s not just a conversation for banks or governments anymore – anyone and everyone is a potential victim of hacks and data leaks.
"Data is a company’s biggest asset, but many organisations haven’t yet got to grips with how to protect it in the new world order of mobile devices and cloud-based access. The security challenge won’t go away and companies need to change their mindset in order to solve it."
5. Nothing is infallible
David Fisk, EMEA Sales Director at Quorum, said:
"The fact remains disasters such as this will occur. Today’s IT leaders need to be on guard for even the most modest threats to their infrastructure.
"Companies need to be able to minimise the amount of damage during a time of crisis and a strong BC and DR plan go a long way in helping to do this. Organisations have struggled with DR because traditional methods are either too complicated or too costly to implement and manage except for the largest companies.
"However, by adopting emerging technologies such as DR as a service (DRaaS) organisations can ensure their IT staff are trained and ready to instantly recover operations and keep their business viable.
"The reality is that neither humans nor computers are infallible and IT glitches will happen so it’s about contingency planning and minimising the impact this will have on the company."