Carphone Warehouse hacked. At least 2.4 million customers at risk

Comment from Philip Lieberman, CEO of Lieberman Software:

This is an excellent example of where the CEO of the company now needs to step in and evaluate whether his leadership of his information technology department yielded what he and his board of directors view as an acceptable loss. The CEO’s role today must be as the commander-and-chief of cyber-defense, rather than simply complying with the minimal requirements of auditors. The CEO should consider a review of their existing security technologies and processes in place to minimize these losses in the future. Many companies are being hit with these types of attacks and only the CEO can provide the leadership and investments necessary to mitigate these types of bad outcomes. We would strongly suggest that the CEO and Board of Directors reevaluate their security vendor choices and internal processes going forward. As we can all see, perimeter protections failed and leadership needs to come to a hard realization that their interior protections were inadequate for today’s modern attacks. Appropriate privileged identity management (PIM) solutions coupled with hygienic automated management of identities might have reduced this intrusion to a non-event.

Comment from Amichai Shulman, CTO of Imperva:

I think that this is a good example of how media and “normal” people sometimes overlook what attackers are extremely fast to understand. How can someone even bother to mention 90,000 credit card numbers (which seem to be encrypted) when 2.4 Million records, that include bank account numbers as well as personal details, have been stolen. Credit card numbers are replaced in a jiffy. Bank accounts are a mess to replace and no one would change their phone number or address as a consequence of a breach. So basically attackers now have “immutable” information about millions of individuals. This is something to worry about.

Comment from Mark James, Security Specialist at IT Security Firm ESET:

Data from this breach may well be used in an attempt to directly log into other financially related systems as some people still fail to have unique passwords for different online accounts. This data may also be used in targeted phishing attacks to get more useful data that could also be used for identify theft or other malicious purposes. We all know how to handle that random caller or email that tries to scam us with a half-hearted attempt at gaining our trust but if they are armed with some kind of information that is true along with some knowledge of our explicit data ( names, addresses) that trust could be the stepping stone to a successful scam being completed. Almost certainly data will be circulated and used elsewhere for ongoing spam or malware campaigns, all data has a value and we need to understand that any information can be used for malicious reasons. Customers should be vigilant against people calling or emailing with sporadic bits of information in an attempt to gain more data. Change your passwords NOW, also remember that you can use different bits of information when filling out forms or applying for web page access. You don’t need to tell the truth about your favourite colour or your first dog’s name. Speak to your bank or financial organisation so they are aware and if still concerned sign up for a reputable credit checking organisation to keep an eye on your credit activity. Lastly keep an eye on your bank statements especially small sporadic payments that are classed as “under the radar” that sometimes can be used to test your bank details.

Comment from Luke Brown at Digital Guardian:

2.4 million is a big number. When this is how many customers have been affected by a data breach, you’ve got to take a good hard look at existing security measures and question if they are even remotely adequate for the task at hand. Carphone Warehouse claims 'only' 90,000 sets of credit card details were accessed. But while a credit card can be cancelled (at much inconvenience to the cardholders affected), it’s a lot more difficult to change a name, address or date of birth. Sadly this is the issue facing the full 2.4 million customers whose personal details are now in the hands of criminals likely to use this information for phishing and fraudulent activities. With the implementation of the General Data Protection Regulation on the horizon and potentially ruinous fines levied against this kind of breach in the near future, businesses need to wake up to the fact that a more date-centric approach to security is the only way to effectively protect against this kind of breach in the future. The days of perimeter based security are numbered and with trust being the most important factor in any customer/business relationship, why wait until it has been irreparably damaged before switching to a data security protocol that is able to protect against the security threats of today, not yesterday.

Cooment from David Emm, Principal Security Researcher at Kaspersky Lab:

The recent cyber-attack on Carphone Warehouse highlights the importance of online security for both organisations and consumers. Companies holding consumer data have a responsibility to keep it safe, and make sure it doesn’t fall into the wrong hands. The fact that 2.4 million people’s personal details have been compromised will undoubtedly be a huge cause of concern for customers; and it’s hardly surprising that many have publicly expressed their dismay at the fact that it took Carphone Warehouse so long to notify them of the breach. Presumably it took Carphone Warehouse time to quantify the extent of the breach and assess its impact before taking steps to notify customers. Carphone Warehouse has said that it has contacted all those affected. However, I would recommend that all Carphone Warehouse customers take the opportunity to change their passwords - including changing them on any other sites where they have used the same password (it’s never a good idea to re-use the same password across multiple accounts). They should also be cautious about any e-mails they receive. The hackers behind the attack may already have been able to formulate phishing emails, so consumers must think carefully about whether the emails they receive are legitimate. I would caution against clicking links in e-mails – it’s always better to type the website address manually, to avoid the risk of being redirected to a phishing site. Finally, they should keep a close check on bank accounts and report any suspicious activity to the bank and to Action Fraud. Worryingly, many people use the same password and personal details across multiple online accounts, so if their details have been compromised by one attack they could find other online accounts suffer too. While businesses can do their part by hashing and salting passwords and encrypting other confidential information, it is also up to individuals to ensure that their passwords are complex, that they do not reuse them on different sites and that they change them regularly. A password is the frontline of defence and so it needs to be sufficiently strong; an ideal password is at least 12 characters long and consists of a mixture of letters, numbers and symbols from the entire keyboard.

Comment from Tim Erlin, Director of Security and Product Management at Tripwire:

Unlike some of the other retail breaches of late, this one was discovered internally by Carphone Warehouse, and disclosed publically only a few days after discovery. That’s an improvement over breaches that were discovered through credit card fraud and kept undisclosed for longer periods of time.It appears that 90,000 of the 2.4 million affected customers may have had their credit card data accessed, though it was encrypted. The limited number of credit cards affected should also limit the impact of the breach itself.

Comment from Dave Larson, CTO at Corero Network Security:

These types of frequent and sub-saturating DDoS attacks are typically intended to distract corporate security teams, but leave enough bandwidth available for a subsequent attack to infiltrate the victim’s network, much like the incident reported against Carphone Warehouse. This technique of DDoS as a smokescreen is becoming a more commonplace threat, especially for any Internet connected business that is housing sensitive data, such as credit card details, or other personally identifiable information. Organizations need to arm themselves with real-time DDoS protection at their Internet edge, or work to ensure that their upstream providers are offering them more sophisticated DDoS mitigation services to eliminate this challenge. Traditional approaches to DDoS defense, cannot and will not catch these sophisticated and malicious attacks.