News has broken this weekend that the personal data, including bank account details, of some 2.4 million customers of the Carphone Warehouse may have been compromised following a breach that the mobile phone retail giant is calling "a sophisticated cyber-attack." The company also warns that encrypted credit card data of up to 90,000 customers may have been accessed during the breach.
Scotland Yard and the Information Commissioner's Office have both been notified, along with a security outfit specialising in forensic examination of such attacks. However, the statement from Carphone Warehouse, released on Saturday, and revealing that the compromised personal details also include names, addresses and dates of birth also reveals that disocvery of the attack took place on Wednesday: "On 5 August 2015 we discovered that the IT systems of three of our online UK businesses had been subject to a sophisticated cyber attack." This will no doubt leave many customers whose data has been exposed wondering why it took a further three days for the breach to be disclosed.
Customers, it should be said, that extend further than just Carphone Warehouse itself. The official disclosure statement continues: "The three websites affected are onestopphoneshop.com, e2save.com and mobiles.co.uk. These websites also provide a number of services related to mobile phone contracts to iD mobile, TalkTalk mobile, Talk mobile and Carphone Warehouse." Now, bear in mind that this means a further 480,000 TalkTalk Mobile customers could be impacted and I expect reports of the total number of potential victims here to rise in the coming days and weeks.
Sebastian James, group chief executive of parent company Dixons Carphone, says that "We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems." Which is not coming as much comfort to those people asking why it took three days to decide to notify them of the situation. James also noted that the company has "put in place additional security measures" which again is great, but would have been far better had sufficient measures been in place to begin with. Carphone Warehouse is, after all, part of a £3.7 billion corporate giant which includes the likes of PC World and Currys. Plenty of money and experience there, you might have thought, to get security done properly from the get go. Simply stating that the "vast majority" of customer data was held on separate servers that were not impacted by the breach is not enough, especially if you are amongst the millions whose data was accessed.
Commenting on this, Mike Spykerman, VP at OPSWAT, said:
The reality is that data breaches are no longer a question of if, but when. At least some of the information at Carphone Warehouse was encrypted, but still a lot of personal data was not. Data breaches often start with a spear phishing attack that evades detection from regular spam filters and single anti-virus engines. By using multiple anti-virus engines, the possibility that a spear phishing attack is detected is considerably higher. To avoid cyber attacks being successful, companies should prepare their defences by deploying several cyber security layers including device monitoring and management, scanning with multiple anti-malware engines, and advanced threat protection.
Meanwhile, Mark Bower who is Global Director at HP Security Voltage, adds:
It's a clear signal that contemporary data encryption and tokenization for all sensitive fields, not disk or column level encryption for credit cards, is necessary to thwart advanced attacks that scrape sensitive data from memory, data is use, as well as storage and transmission. Disk encryption protects data at rest, but it's an all or nothing approach that leaves exploitable gaps: applications needing data have to decrypt it every time. Yet advanced attacks steal data in use and in motion. Another problem is that, while firms may focus on credit card data to meet basic PCI compliance, attackers will steal any sensitive data like account data, contact information and so on as they can repurpose it for theft. There are effective defences to this. Today's new-breed of encryption and tokenization techniques can render data itself useless to attackers, yet functional to business needs. This technology, such as Format-Preserving Encryption, is proven in leading banks, retailers and payment processors who are constantly bombarded and probed by attackers. By securing customer and card data from capture over the data's journey through stores, branches, databases and analytic systems, businesses can avoid unnecessary decryption required by older generation disk or database encryption techniques. Data can stay protected in use, at rest, and in motion, and stays secure even if stolen. Modern vetted and peer reviewed data encryption is infeasible to break on any realistic basis. Its a win-win for business, as it can be retrofitted to existing systems without complications and business change. Attackers who steal useless data they can't monetize quickly move on to other targets.