Carphone Warehouse hacked: 2.4 million customer records at risk

Graham Cluley

Carphone WarehouseIf you are a customer of British mobile phone retailer Carphone Warehouse be sure to check your inbox – as you may have received an email warning from the company that your personal details could now be in the hands of malicious hackers.

Unfortunately, even if you aren’t a direct customer of Carphone Warehouse you may still be affected. For instance, some 480,000 TalkTalk Mobile customers are also said to be impacted.

Here is a copy of a statement Carphone Warehouse is sharing with people:

What has happened?
On 5 August 2015 we discovered that the IT systems of three of our online UK businesses had been subject to a sophisticated cyber attack. At this stage, our investigation indicates that some of the data held on our systems has been accessed and this may include some personal details, including customer name, address, date-of-birth, bank and encrypted credit card details.

Who is affected?
The three websites affected are onestopphoneshop.com, e2save.com and mobiles.co.uk. These websites also provide a number of services related to mobile phone contracts to iD mobile, TalkTalk mobile, Talk mobile and Carphone Warehouse.

We don’t believe that any other Carphone Warhouse customer data or Currys PC World data has been accessed.

How will I know if I’ve been affected?
We’ve emailed all customers who we believe may have been affected with information and advice.

If you have not received a communication from us regarding your data security, your information should not be impacted and this message does not apply to you.

Naturally, the news of the attack will worry many customers of Carphone Warehouse, TalkTalk, mobiles.co.uk, and the other affected companies that they could be affected.

Customers of mobiles.co.uk have been told for the last few days that the company’s website is down due to “technical difficulties”. Now it seems it’s become a little clear as to what those difficulties were…

Mobiles.co.uk website

Understandably, some customers of the affected mobile phone companies are far from impressed and are turning to Twitter to express their annoyance.

Sebastian James“We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems,” said Sebastian James, group chief executive of Dixons Carphone in a statement.

Clearly it would be much better if the personal information that hackers have accessed had never fallen into their hands – every piece of personal data about you is a potential extra piece of the jigsaw which can lead to identity theft.

Imagine, for instance, if a company asks you to confirm your identity by telling it the first line of your address, your name and date of birth. Well, that’s now in the hands of hackers…

Naturally people will be concerned even if there is the remotest chance that they might be left out of pocket because of a hack like this. My advice is to keep a close eye on your bank statements, looking out for unusual purchases.

Very little is known publicly about the nature of the hack presently, although chances are that Carphone Warehouse has over the last few days been busy trying to determine the scale of the breach, and ensuring that its systems are no longer vulnerable.

Potentially the hackers could have exploited a poorly secured website which had been misconfigured or not received appropriate security patches or updates. Another possibility is that the attackers simply managed to trick a member of Carphone Warehouse staff into handing over their own credentials used to access customer databases – perhaps through a phishing email, although it’s important to stress that this is just speculation at this stage.

There is no specific mention in the advisory as to whether passwords and email addresses might have been put at risk by the hack, but I think it would be wise for customers to assume the worst, and consider changing their passwords.

Importantly, you should never use the same password on different websites. The reason is that if a password for one website falls into the hands of hackers, the last thing you want is for online criminals to then use that same password to unlock your other online accounts, such as your email.

Additionally, if it is found that email addresses were also compromised there is the potential for malicious spam and phishing campaigns against Carphone Warehouse customers.

I couldn’t find any mention of the data breach on Carphone Warehouse’s website at the time of writing, but – for more information – check out this BBC News report.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

6 Replies to “Carphone Warehouse hacked: 2.4 million customer records at risk”

  1. I'm surprised you didn't suggest that this could have been a web application security problem, like SQL injection for example. Web apps are the most common attack vector according to Verizon DBIR for past 8 years! Seems like the most likely option here.

    1. When I read:

      > sophisticated cyber attack.

      SQLi was the first thing that sprung to mind. I wonder if Paddy Power are offering any odds…

  2. Hey Graham, can i ask if you are still against volunteering to give certain websites your mobile number for account recovery or login process, I remember an article you did on Naked security many years ago saying you thought this was a bad idea do you still hold that opinion now?personally this is something I still avoid to this day.

  3. "I couldn't find any mention of the data breach on Carphone Warehouse's website at the time of writing, but – for more information – check out this BBC News report."

    Which means that their apology wasn't all that meaningful. Of course that isn't unexpected but it is still rather sad – if you're truly sorry you will make every effort to demonstrate it (words often aren't enough; they are demonstrating this, even: they can't be bothered to make an official statement on their website). It seems they are only apologising to those that have complained but that isn't a genuine apology.

    Perhaps that isn't completely fair if they truly did make an official statement, but it would be a lot better if it was on their website also (so that all can see it in a place that you would expect it to be). I would like to believe – and hope – there is more to it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES