Carphone Warehouse Hack Exposes Data of 2.4 Million CustomersMobile Retailer Says PII, Encrypted Card Data Breached
Carphone Warehouse, a U.K.-based mobile phone retailer, says it is investigating a cyber-attack that may have breached personal information associated with up to 2.4 million customers.
In a statement issued Aug. 8, Carphone Warehouse, which has more than 2,400 stores across Europe, said that the IT systems of a division of its company that operates the websites OneStopPhonShop.com, e2save.com and Mobiles.co.uk and provides services to iD Mobile, TalkTalk Mobile, Talk Mobile as well as certain Carphone Warehouse customers had been targeted by a "sophisticated" attack."
Other parts of the company, including Currys and PC World, do not appear to have been impacted, Carphone Warehouse says.
Information that may have been exposed includes customer names, addresses, dates of birth and bank account details. Encrypted payment card data affiliated with up to 90,000 of those customers also may have been exposed, the company says.
"We and our partners are contacting all those customers who may have been affected to inform them of the breach and to give them advice to reduce any risk and minimize inconvenience," Carphone Warehouse notes in its statement. "Currys and PCWorld and the vast majority of Carphone Warehouse customer data is held on separate systems and has not been accessed during this incident."
The breach of PII, such as address and date of birth, will likely be the most concerning aspect of this attack. For months security experts have warned why PII is increasingly more valuable for hackers than card data (see Breached PII: Growing Fraud Worry).
Mike Spykerman, vice president of San Francisco-based IT security firm OPSWAT, says the exposure of unencrypted PII is worrisome. "At least some of the information at Carphone Warehouse was encrypted," he says. "Still, a lot of personal data was not."
And while details surrounding the attack and how hackers actually got in have not been released, Spykerman suggests a phishing attack is likely to blame.
"Data breaches often start with a spear phishing attack that evades detection from regular spam filters and single anti-virus engines," he says. "By using multiple anti-virus engines, the possibility that a spear phishing attack is detected is considerably higher. To avoid cyber-attacks being successful, companies should prepare their defenses by deploying several cybersecurity layers, including device monitoring and management, scanning with multiple anti-malware engines, and advanced threat protection."
The Carphone Warehouse attack is just one more in a long line of retail breaches, including Target, Home Depot and Neiman Marcus. Retail network security is a growing concern for the financial-services industry, as cyber-attacks are increasingly targeting retailers and the third parties that serve them in order to compromise not only payment card data but also PII.