Last year’s Carphone Warehouse data breach was worse than the company thought: nine million people worse, the company announced on Monday.
CEO Alex Baldock apologised for customer “distress”, saying that an investigation found “approximately 10 million records containing personal data may have been accessed in 2017”, up from the 1.2 million first suspected.
Initial revelations last year had found that 105,000 non-EU issued payment cards which do not have chip and pin protection had been compromised. Some 5.6 million card details believed to have leaked were protected by chip and pin.
In a comment published this morning, Dixons Carphone, which trades as Carphone Warehouse, said of the revelations about the scale of the breach: “These records do not contain payment card or bank account details and there is no evidence that any fraud has resulted. We are continuing to keep the relevant authorities updated.”
The company was fined £400,000 by Information Commissioner Elizabeth Denham in January over a similar incident in 2015, which exploited vulnerabilities in aging WordPress software.
Staying Protected: Cybersecurity Specialists Respond
David Emm, Principal Security Researcher at Kaspersky Lab, said: “Huge amounts of personal information – including names, addresses and email addresses – were accessed, along with records of nearly 6 million payment cards, affecting a huge amount of the population. This latest breach underlines how important it is for businesses to arm themselves against threats. By taking simple steps to secure their internal systems, firms can reduce their exposure to attack.”
See also: Carphone Warehouse Hack: The Big Questions
Kaspersky Lab recommends the following advice for businesses to stay protected:
- Conduct a security audit – Identifying your business’s security strengths, weaknesses and opportunities for improvements will provide a good foundation for your future decision-making process on appropriate technology and other measures
- Choose the right anti-malware protection – Choosing the right security software will allow you to feel relaxed and comfortable that your business is adequately protected, without the hassle of managing an expensive or overly elaborate security solution
- Keep your software up to date – Apply updates to your operating systems and applications as soon as they become available (switch on automatic updates where this is available). Remember, programs that haven’t been updated are one of the key means that cybercriminals use to hack businesses
- Back up – Plan for the worst-case scenario: infection. It’s vital to back up your files – so that, if your documents are compromised, you can restore your files with minimal disruption
- Educate your staff about browsing behaviours – The starting point for most attacks is tricking people into doing something that allows attackers to get a foothold. Therefore, proactively educating your staff about the impact their online activity can have on the business will help to reduce your exposure to online threats significantly.
Poor Visibility
Matt Middleton-Leal, General Manager, EMEA at Netwrix said: “This is a classic example of an organisation that simply did not have sufficient visibility into its IT infrastructure and by extension its most important asset: in this case, its customers’ confidential data.
“I would implore all organisations to ensure that they can track in an automated fashion all confidential data and who has access to it within the company. The faster that an organisation can detect, investigate and stop an attack in its tracks, the better its changes of preventing damage and avoiding significant financial penalties in the era of GDPR.”
Lessons Learned from the Carphone Warehouse Data Breach
Joseph Carson, Chief Security Scientist at Thycotic added: “I believe that Dixons Carphone could carry out better incident response and communications relating to the impacted customers.
“Like many companies have done in the past, they disclosed data breach numbers while the digital forensics was still ongoing, and we are likely still to find out the real impact of this data breach.”
“The good news is that they are working with cybersecurity professionals and implementing security and protection from unauthorised access which for many companies is still a major gap in cybersecurity today.”