Carphone Warehouse announced this morning that its systems were compromised last year, revealing 5.9 million card details and the details of 1.2 million customers.
The revelation comes weeks before its executives publish the company’s annual financial results on June 21 and as new CEO Alex Baldock shakes up the company, saying in recent results “there’s plenty to fix, [but] it’s all fixable”.
Most cards were protected by chip and pin, but 105,000 non-EU issued payment cards which do not have chip and pin protection have been compromised.
The breach follows a fine of £400,000 from Information Commissioner Elizabeth Denham in January owing to a similar incident in 2015, which exploited vulnerabilities in aging WordPress software.
She said at the time: “A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.
The Big Questions
In the wake of the breach, the first major one to be announced post-GDPR, these are the big questions:
1: How Will the ICO React?
Carphone Warehouse has been warned already in stern terms that its data protection is woefully sub-par. The ICO has typically dished out fines that are a slap on the wrist for a large company (Carphone Warehouse expects profit before tax this year of £300 million) but GDPR changes that with the potential for much greater fine. Although the data was exposed before the legislation came into force, the ICO may be minded to exert its authority. Others will be watching closely…
Why Did the Breach Take so Long to Detect?
Carphone Warehouse says it only identified the breach last week. CEO Alex Baldock said: “We promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected.”
Andrew Bushby, UK director at Fidelis Cybersecurity, notes: “Calling in cybersecurity experts after an attack is not going to pull back the data. From a security standpoint, all organisations need to get real visibility of what’s happening to their systems – at all times, providing the ability to proactively find the unknown threats, not just in the aftermath of an attack.”
What Should Carphone Warehouse Users do?
As Paul Edon, Technical Director (EMEA) at Tripwire puts it: “Even though Dixons Carphone released a statement saying that there is ‘no evidence of cards being used fraudulently following the breach’, it is imperative that individuals continually monitor their bank accounts and report any signs of identity theft or fraudulent activity to their banks. Financial information is a high commodity on the dark web and so it will be highly targeted by criminals.” Change passwords too, just in case…
Can Others Learn Lessons Here?
Nik Whitfield, CEO, Panaseer said: “This data breach needs to act as a wake-up call to companies to examine their cyber risk posture. 80 percent of all threats could be stopped if organisations addressed the basics of enterprise cyber hygiene. Achieving this isn’t easy – the bigger the organisation, the more challenging it is to maintain these ‘basics’, such as identifying IT assets, patching systems, secure coding and controlling privileged access. If they want to effectively remediate cyber security risk and avoid data breaches like these, organisations need to move to a proactive approach and in effect start fireproofing rather than firefighting.”