Carphone Warehouse cyberattack: details of 2.4m customers stolen by hackers

10 Aug 2015

Carphone Warehouse details customers stolen by hackers

The personal details of up to 2.4m Carphone Warehouse customers have been seized by hackers in a sophisticated cyberattack.

The data included names, addresses, dates of birth and bank account details.

The hackers may have also gotten away with the encrypted credit card information of up to 90,000 customers.

It is understood that no Irish customers were affected by the attack.

Carphone Warehouse has been informing customers who may have been affected by email.

In a statement to customers, Carphone Warehouse said that three of its online businesses in the UK were subjected to a sophisticated cyberattack.

The three businesses affected were Onestopshop.com, e2save.com and mobiles.co.uk.

The websites also provide services related to mobile contracts for iD mobile, TalkTalk mobile, Talk mobile and Carphone Warehouse.

The company said that it doesn’t believe that any other Carphone Warehouse customer data or Currys PC World data has been accessed.

“We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems,” said Sebastian James, group chief executive of Dixons Carphone in a statement.

Sophisticated attack on Carphone Warehouse

Customers affected have been warned to watch out for unusual behaviour or transactions on their bank accounts and to be vigilant in case of people calling asking for personal information, bank details or passwords.

“Naturally people will be concerned even if there is the remotest chance that they might be left out of pocket because of a hack like this,” said security researcher Graham Cluley.

“My advice is to keep a close eye on your bank statements, looking out for unusual purchases.

“Very little is known publicly about the nature of the hack presently, although chances are that Carphone Warehouse has over the last few days been busy trying to determine the scale of the breach, and ensuring that its systems are no longer vulnerable.

“Potentially the hackers could have exploited a poorly secured website which had been misconfigured or not received appropriate security patches or updates. Another possibility is that the attackers simply managed to trick a member of Carphone Warehouse staff into handing over their own credentials used to access customer databases — perhaps through a phishing email, although it’s important to stress that this is just speculation at this stage,” Cluley said.

Carphone Warehouse image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com