View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Carphone Warehouse Hack: The Big Questions

Big questions swirl around the breach at Carphone Warehouse...

By CBR Staff Writer

Carphone Warehouse announced this morning that its systems were compromised last year, revealing 5.9 million card details and the details of 1.2 million customers.

The revelation comes weeks before its executives publish the company’s annual financial results on June 21 and as new CEO Alex Baldock shakes up the company, saying in recent results “there’s plenty to fix, [but] it’s all fixable”.

Most cards were protected by chip and pin, but 105,000 non-EU issued payment cards which do not have chip and pin protection have been compromised.

The breach follows a fine of £400,000 from Information Commissioner Elizabeth Denham in January owing to a similar incident in 2015, which exploited vulnerabilities in aging WordPress software.

She said at the time: “A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.

The Big Questions

In the wake of the breach, the first major one to be announced post-GDPR, these are the big questions:

1: How Will the ICO React?

Carphone Warehouse has been warned already in stern terms that its data protection is woefully sub-par. The ICO has typically dished out fines that are a slap on the wrist for a large company (Carphone Warehouse expects profit before tax this year of £300 million) but GDPR changes that with the potential for much greater fine. Although the data was exposed before the legislation came into force, the ICO may be minded to exert its authority. Others will be watching closely…

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Why Did the Breach Take so Long to Detect?

Carphone Warehouse says it only identified the breach last week. CEO Alex Baldock said: “We promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected.”

Andrew Bushby, UK director at Fidelis Cybersecurity, notes: “Calling in cybersecurity experts after an attack is not going to pull back the data. From a security standpoint, all organisations need to get real visibility of what’s happening to their systems – at all times, providing the ability to proactively find the unknown threats, not just in the aftermath of an attack.”

What Should Carphone Warehouse Users do?

As Paul Edon, Technical Director (EMEA) at Tripwire puts it: “Even though Dixons Carphone released a statement saying that there is ‘no evidence of cards being used fraudulently following the breach’, it is imperative that individuals continually monitor their bank accounts and report any signs of identity theft or fraudulent activity to their banks. Financial information is a high commodity on the dark web and so it will be highly targeted by criminals.” Change passwords too, just in case…

Can Others Learn Lessons Here?

Nik Whitfield, CEO, Panaseer said: “This data breach needs to act as a wake-up call to companies to examine their cyber risk posture. 80 percent of all threats could be stopped if organisations addressed the basics of enterprise cyber hygiene. Achieving this isn’t easy – the bigger the organisation, the more challenging it is to maintain these ‘basics’, such as identifying IT assets, patching systems, secure coding and controlling privileged access. If they want to effectively remediate cyber security risk and avoid data breaches like these, organisations need to move to a proactive approach and in effect start fireproofing rather than firefighting.”


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.