A huge cyber attack targeting Carphone Warehouse made front page news over the weekend, with the personal details of up to 2.4 million UK customers compromised.
Revealed by the mobile phone retailer’s parent company, Dixons Carphone, the ‘sophisticated cyber-attack’ has not only put customer data such as addresses, date of birth and names at risk, but encrypted credit card data of up to 90,000 customers may have also been accessed.
The IT division which was hacked operates not only the Carphone Warehouse website, but also OneStopPhoneShop.com, e2save.com and Mobiles.co.uk and provides a number of services to iD Mobile, TalkTalk Mobile, Talk Mobile, and to certain customers of Carphone Warehouse.
Promising to contact all customers who may have been affected, Sebastian James, Group Chief Executive of Dixons Carphone, said:
"We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems. We are, of course, informing anyone that may have been affected, and have put in place additional security measures."
The implications of this very public data breach are far reaching, but what do security pros think about it? CBR asked the experts for their take on the data breach, what we might see in the wake of the attack and what other companies can learn.
1. Take a long hard look at yourself, Carphone Warehouse
Luke Brown, Vice President & GM, Europe Middle East Africa India & Latam at Digital Guardian, said:
"2.4 million is a big number. When this is how many customers have been affected by a data breach, you’ve got to take a good hard look at existing security measures and question if they are even remotely adequate for the task at hand. Carphone Warehouse claims ‘only’ 90,000 sets of credit card details were accessed.
"But while a credit card can be cancelled (at much inconvenience to the cardholders affected), it’s a lot more difficult to change a name, address or date of birth. Sadly this is the issue facing the full 2.4 million customers whose personal details are now in the hands of criminals likely to use this information for phishing and fraudulent activities.
With the implementation of the General Data Protection Regulation on the horizon and potentially ruinous fines levied against this kind of breach in the near future, businesses need to wake up to the fact that a more date-centric approach to security is the only way to effectively protect against this kind of breach in the future.
"The days of perimeter based security are numbered and with trust being the most important factor in any customer/business relationship, why wait until it has been irreparably damaged before switching to a data security protocol that is able to protect against the security threats of today, not yesterday."
2. What took so long?
Charles Sweeney, CEO at Bloxx, said:
"We’ve seen many big brands face serious criticism over their apparent lethargy in the face of a cyber-attack, eBay being the most obvious. Of course companies need to understand the scope of the attack, but this exercise needs to be undertaken rapidly so that consumers can be engaged and supported in a timely way. How a brand handles a breach is the difference between retaining and losing customers. I think most would argue 72 hours is too long.
"Any concerned individuals should change their passwords across all of their online accounts and check their bank account activity asap."
3. Get ready for a spot of phishing
Klaus Gheri, VP and GM of Network Security at Barracuda Networks, said:
"With email addresses compromised as a result of the Carphone Warehouse breach, organisations and individuals must stay vigilant to the potential for spear phishing attacks. Having access to the email addresses could allow the hackers to build a detailed profile of their target and create a very specific attack.
"After building the profile the attack is likely to come from a ‘trusted source’ and this makes the chances of a successful attack considerably higher. As well as putting security systems in place, businesses, employees and consumers alike need to remain vigilant and question any unexpected email, with an attachment that arrives in their inbox."
4. Learn from this – most are still flying blind
Phil Barnett, EMEA VP and GM of Good Technology, said:
"Many companies are still flying blind when it comes to security, because 60 per cent think it doesn’t affect them. The truth is that it’s not just a conversation for banks or governments anymore – anyone and everyone is a potential victim of hacks and data leaks.
"Data is a company’s biggest asset, but many organisations haven’t yet got to grips with how to protect it in the new world order of mobile devices and cloud-based access. The security challenge won’t go away and companies need to change their mindset in order to solve it."
5. Nothing is infallible
David Fisk, EMEA Sales Director at Quorum, said:
"The fact remains disasters such as this will occur. Today’s IT leaders need to be on guard for even the most modest threats to their infrastructure.
"Companies need to be able to minimise the amount of damage during a time of crisis and a strong BC and DR plan go a long way in helping to do this. Organisations have struggled with DR because traditional methods are either too complicated or too costly to implement and manage except for the largest companies.
"However, by adopting emerging technologies such as DR as a service (DRaaS) organisations can ensure their IT staff are trained and ready to instantly recover operations and keep their business viable.
"The reality is that neither humans nor computers are infallible and IT glitches will happen so it’s about contingency planning and minimising the impact this will have on the company."
6. The double-edged sword
Corey Nachreiner, CTO at WatchGuard, said:
"Whilst this incident proves the value in encrypting customer data, it is important to remember that encryption is a double-edged sword when you look at it from a network visibility perspective. The same encryption process that obscures customer information can also give hackers the same protection.
Attackers want to hide their communications, such as malware downloads and the command and control channels their malware uses to call home. By nature, encryption provides an effective mechanism for doing exactly that. Bad guys realise that encrypted traffic is typically a "black hole" in your network security and visibility tools, so they’ve started using it for malicious activity, hiding in plain sight.
Regaining visibility of your network is possible with security controls but this doubles the workload for your security device as it has to decrypt and re-encrypt again, before passing traffic on. Getting around this relies on making sure your security layers are applied by the same appliance so data is only decrypted once and keeping an eye on the performance of this appliance with all of the security features turned on."
7. CEO needs to take control
Philip Lieberman, CEO of Lieberman Software, said:
"This is an excellent example of where the CEO of the company now needs to step in and evaluate whether his leadership of his information technology department yielded what he and his board of directors view as an acceptable loss.
"The CEO’s role today must be as the commander and chief of cyber-defense, rather than simply complying with the minimal requirements of auditors. The CEO should consider a review of their existing security technologies and processes in place to minimize these losses in the future.
"Many companies are being hit with these types of attacks and only the CEO can provide the leadership and investments necessary to mitigate these types of bad outcomes. We would strongly suggest that the CEO and Board of Directors reevaluate their security vendor choices and internal processes going forward."
8. Protect the innocent
Andrew Avanessian, VP at Avecto, said:
"While it’s too early to start pointing the finger at other root causes, time and time again these kinds of attacks often stem from the exploitation of innocent employees through privilege abuse – where a hacker will find their way onto the corporate network and once there seek out employees with admin privileges, creating an open door to sensitive business information.
"It’s important therefore to stress that prevention is possible. Business can and should limit their exposure to this risk by adopting a least privilege approach to user access. Business should prepare for when they are targeted, not if, and taking control of who has access to what is the obvious starting point.
"This approach is complemented by tight control of applications and the mitigation of internet borne malware through sandboxing, creating multiple layers of defense to prevent and protect against these kinds of threats."
9. Get serious
Keith Poyser, GM EMEA at Accellion, said:
"While the details of the recent Carphone Warehouse security breach are still materialising, it nevertheless reinforces the fact that enterprises need to take cyber security and data leak prevention more seriously. This is a technology issue, training issue, process issue, corporate governance issue and on and on.
"To mitigate the risk of a breach, cyber security ultimately has to become a part of an enterprise’s culture and it must touch every segment of that enterprise. The good news is there are a number of steps organisations can take to lessen the chances of a cyber attack."
10. Carphone Warehouse customers – take action now!
Tony Neate, CEO, Get Safe Online, said:
"This news is hugely concerning for Carphone Warehouse customers. With the stolen data potentially including names, addresses and dates of birth, hackers could also gain access to your other online accounts if you are using any of this information for your passwords. If this is you, now is the time to give your passwords an overhaul – think of something unpredictable and different for every account.
"Carphone Warehouse is said to be getting in touch with customers who need to notify their bank and credit card company, but don’t be fooled by emails or phone calls pretending to be them. There will always be more cyber criminals looking to exploit the situation and trick you into sharing information a legitimate company would never ask for."