1

News has broken this weekend that the personal data, including bank account details, of some 2.4 million customers of the Carphone Warehouse may have been compromised following a breach that the mobile phone retail giant is calling "a sophisticated cyber-attack." The company also warns that encrypted credit card data of up to 90,000 customers may have been accessed during the breach.

Scotland Yard and the Information Commissioner's Office have both been notified, along with a security outfit specialising in forensic examination of such attacks. However, the statement from Carphone Warehouse, released on Saturday, and revealing that the compromised personal details also include names, addresses and dates of birth also reveals that disocvery of the attack took place on Wednesday: "On 5 August 2015 we discovered that the IT systems of three of our online UK businesses had been subject to a sophisticated cyber attack." This will no doubt leave many customers whose data has been exposed wondering why it took a further three days for the breach to be disclosed.

Customers, it should be said, that extend further than just Carphone Warehouse itself. The official disclosure statement continues: "The three websites affected are onestopphoneshop.com, e2save.com and mobiles.co.uk. These websites also provide a number of services related to mobile phone contracts to iD mobile, TalkTalk mobile, Talk mobile and Carphone Warehouse." Now, bear in mind that this means a further 480,000 TalkTalk Mobile customers could be impacted and I expect reports of the total number of potential victims here to rise in the coming days and weeks.

Sebastian James, group chief executive of parent company Dixons Carphone, says that "We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems." Which is not coming as much comfort to those people asking why it took three days to decide to notify them of the situation. James also noted that the company has "put in place additional security measures" which again is great, but would have been far better had sufficient measures been in place to begin with. Carphone Warehouse is, after all, part of a £3.7 billion corporate giant which includes the likes of PC World and Currys. Plenty of money and experience there, you might have thought, to get security done properly from the get go. Simply stating that the "vast majority" of customer data was held on separate servers that were not impacted by the breach is not enough, especially if you are amongst the millions whose data was accessed.

Commenting on this, Mike Spykerman, VP at OPSWAT, said:

The reality is that data breaches are no longer a question of if, but when. At least some of the information at Carphone Warehouse was encrypted, but still a lot of personal data was not. Data breaches often start with a spear phishing attack that evades detection from regular spam filters and single anti-virus engines. By using multiple anti-virus engines, the possibility that a spear phishing attack is detected is considerably higher. To avoid cyber attacks being successful, companies should prepare their defences by deploying several cyber security layers including device monitoring and management, scanning with multiple anti-malware engines, and advanced threat protection.

Meanwhile, Mark Bower who is Global Director at HP Security Voltage, adds:

It's a clear signal that contemporary data encryption and tokenization for all sensitive fields, not disk or column level encryption for credit cards, is necessary to thwart advanced attacks that scrape sensitive data from memory, data is use, as well as storage and transmission. Disk encryption protects data at rest, but it's an all or nothing approach that leaves exploitable gaps: applications needing data have to decrypt it every time. Yet advanced attacks steal data in use and in motion. Another problem is that, while firms may focus on credit card data to meet basic PCI compliance, attackers will steal any sensitive data like account data, contact information and so on as they can repurpose it for theft. There are effective defences to this. Today's new-breed of encryption and tokenization techniques can render data itself useless to attackers, yet functional to business needs. This technology, such as Format-Preserving Encryption, is proven in leading banks, retailers and payment processors who are constantly bombarded and probed by attackers. By securing customer and card data from capture over the data's journey through stores, branches, databases and analytic systems, businesses can avoid unnecessary decryption required by older generation disk or database encryption techniques. Data can stay protected in use, at rest, and in motion, and stays secure even if stolen. Modern vetted and peer reviewed data encryption is infeasible to break on any realistic basis. Its a win-win for business, as it can be retrofitted to existing systems without complications and business change. Attackers who steal useless data they can't monetize quickly move on to other targets.

Edited by happygeek

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

1
Contributor
7
Replies
30
Views
3 Years
Discussion Span
Last Post by happygeek
0

Comment from Philip Lieberman, CEO of Lieberman Software:

This is an excellent example of where the CEO of the company now needs to step in and evaluate whether his leadership of his information technology department yielded what he and his board of directors view as an acceptable loss. The CEO’s role today must be as the commander-and-chief of cyber-defense, rather than simply complying with the minimal requirements of auditors. The CEO should consider a review of their existing security technologies and processes in place to minimize these losses in the future. Many companies are being hit with these types of attacks and only the CEO can provide the leadership and investments necessary to mitigate these types of bad outcomes. We would strongly suggest that the CEO and Board of Directors reevaluate their security vendor choices and internal processes going forward. As we can all see, perimeter protections failed and leadership needs to come to a hard realization that their interior protections were inadequate for today’s modern attacks. Appropriate privileged identity management (PIM) solutions coupled with hygienic automated management of identities might have reduced this intrusion to a non-event.

Edited by happygeek

0

Comment from Amichai Shulman, CTO of Imperva:

I think that this is a good example of how media and “normal” people sometimes overlook what attackers are extremely fast to understand. How can someone even bother to mention 90,000 credit card numbers (which seem to be encrypted) when 2.4 Million records, that include bank account numbers as well as personal details, have been stolen. Credit card numbers are replaced in a jiffy. Bank accounts are a mess to replace and no one would change their phone number or address as a consequence of a breach. So basically attackers now have “immutable” information about millions of individuals. This is something to worry about.

Edited by happygeek

0

Comment from Mark James, Security Specialist at IT Security Firm ESET:

Data from this breach may well be used in an attempt to directly log into other financially related systems as some people still fail to have unique passwords for different online accounts. This data may also be used in targeted phishing attacks to get more useful data that could also be used for identify theft or other malicious purposes. We all know how to handle that random caller or email that tries to scam us with a half-hearted attempt at gaining our trust but if they are armed with some kind of information that is true along with some knowledge of our explicit data ( names, addresses) that trust could be the stepping stone to a successful scam being completed. Almost certainly data will be circulated and used elsewhere for ongoing spam or malware campaigns, all data has a value and we need to understand that any information can be used for malicious reasons. Customers should be vigilant against people calling or emailing with sporadic bits of information in an attempt to gain more data. Change your passwords NOW, also remember that you can use different bits of information when filling out forms or applying for web page access. You don’t need to tell the truth about your favourite colour or your first dog’s name. Speak to your bank or financial organisation so they are aware and if still concerned sign up for a reputable credit checking organisation to keep an eye on your credit activity. Lastly keep an eye on your bank statements especially small sporadic payments that are classed as “under the radar” that sometimes can be used to test your bank details.

0

Comment from Luke Brown at Digital Guardian:

2.4 million is a big number. When this is how many customers have been affected by a data breach, you’ve got to take a good hard look at existing security measures and question if they are even remotely adequate for the task at hand. Carphone Warehouse claims 'only' 90,000 sets of credit card details were accessed. But while a credit card can be cancelled (at much inconvenience to the cardholders affected), it’s a lot more difficult to change a name, address or date of birth. Sadly this is the issue facing the full 2.4 million customers whose personal details are now in the hands of criminals likely to use this information for phishing and fraudulent activities. With the implementation of the General Data Protection Regulation on the horizon and potentially ruinous fines levied against this kind of breach in the near future, businesses need to wake up to the fact that a more date-centric approach to security is the only way to effectively protect against this kind of breach in the future. The days of perimeter based security are numbered and with trust being the most important factor in any customer/business relationship, why wait until it has been irreparably damaged before switching to a data security protocol that is able to protect against the security threats of today, not yesterday.

0

Cooment from David Emm, Principal Security Researcher at Kaspersky Lab:

The recent cyber-attack on Carphone Warehouse highlights the importance of online security for both organisations and consumers. Companies holding consumer data have a responsibility to keep it safe, and make sure it doesn’t fall into the wrong hands. The fact that 2.4 million people’s personal details have been compromised will undoubtedly be a huge cause of concern for customers; and it’s hardly surprising that many have publicly expressed their dismay at the fact that it took Carphone Warehouse so long to notify them of the breach. Presumably it took Carphone Warehouse time to quantify the extent of the breach and assess its impact before taking steps to notify customers. Carphone Warehouse has said that it has contacted all those affected. However, I would recommend that all Carphone Warehouse customers take the opportunity to change their passwords - including changing them on any other sites where they have used the same password (it’s never a good idea to re-use the same password across multiple accounts). They should also be cautious about any e-mails they receive. The hackers behind the attack may already have been able to formulate phishing emails, so consumers must think carefully about whether the emails they receive are legitimate. I would caution against clicking links in e-mails – it’s always better to type the website address manually, to avoid the risk of being redirected to a phishing site. Finally, they should keep a close check on bank accounts and report any suspicious activity to the bank and to Action Fraud. Worryingly, many people use the same password and personal details across multiple online accounts, so if their details have been compromised by one attack they could find other online accounts suffer too. While businesses can do their part by hashing and salting passwords and encrypting other confidential information, it is also up to individuals to ensure that their passwords are complex, that they do not reuse them on different sites and that they change them regularly. A password is the frontline of defence and so it needs to be sufficiently strong; an ideal password is at least 12 characters long and consists of a mixture of letters, numbers and symbols from the entire keyboard.

0

Comment from Tim Erlin, Director of Security and Product Management at Tripwire:

Unlike some of the other retail breaches of late, this one was discovered internally by Carphone Warehouse, and disclosed publically only a few days after discovery. That’s an improvement over breaches that were discovered through credit card fraud and kept undisclosed for longer periods of time.It appears that 90,000 of the 2.4 million affected customers may have had their credit card data accessed, though it was encrypted. The limited number of credit cards affected should also limit the impact of the breach itself.

0

Comment from Dave Larson, CTO at Corero Network Security:

These types of frequent and sub-saturating DDoS attacks are typically intended to distract corporate security teams, but leave enough bandwidth available for a subsequent attack to infiltrate the victim’s network, much like the incident reported against Carphone Warehouse. This technique of DDoS as a smokescreen is becoming a more commonplace threat, especially for any Internet connected business that is housing sensitive data, such as credit card details, or other personally identifiable information. Organizations need to arm themselves with real-time DDoS protection at their Internet edge, or work to ensure that their upstream providers are offering them more sophisticated DDoS mitigation services to eliminate this challenge. Traditional approaches to DDoS defense, cannot and will not catch these sophisticated and malicious attacks.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.