Carphone Warehouse customer data breach investigated
The UK's data watchdog is "making inquiries" after Carphone Warehouse said the personal details of up to 2.4 million of its customers may have been accessed in a cyber-attack.
The attack was discovered on Wednesday, and made public on Saturday.
The encrypted credit card details of up to 90,000 people may have been accessed, the mobile phone firm said.
The Information Commissioner's Office, which examines data breaches, confirmed it was aware of the incident.
Carphone Warehouse says the data could include names, addresses, dates of birth and bank details and it is contacting all those affected.
What can those affected do?
- Notify your bank and credit card company, so they can monitor activity on your account
- Change your password for your online account
- Check your account for any suspicious or unexpected activity
- Be wary of anyone calling asking for personal information, bank details or passwords
- Visit Experian, Equifax or Noddle to check your credit rating to make sure no one has applied for credit in your name
Those who think they have been the victim of fraud should contact Action Fraud on 0300 123 2040.
Carphone Warehouse said the "sophisticated" cyber-attack, which happened in the past two weeks, was stopped "straight away" after it was discovered on Wednesday afternoon.
The affected division of the company operates the websites OneStopPhoneShop.com, e2save.com and Mobiles.co.uk, and provides services to iD Mobile, TalkTalk Mobile, Talk Mobile and some Carphone Warehouse customers.
The retailer's owner, Dixons Carphone, has apologised for the attack and said additional security measures have been brought in. It has also taken the affected websites down.
'Upset and scared'
Carphone Warehouse customer Kerri, from Petersfield, in Hampshire, said she believed her email address had been hacked, and "things stolen", since the breach.
"I am extremely upset as well as worried and scared," she said.
"Firms like Carphone Warehouse need to be held accountable for security breaches."
Some customers complained they should have been made aware when the breach was first detected.
Technology analyst Tom Cheesewright said the company may have been trying to assess the level of damage before making the announcement.
"I don't think we'll know until the Information Commissioner's Office looks at this - whether they did the right thing, whether they were prudent in waiting a few days." he added.
He said it was likely the data would be sold on.
"There's a ready market in this sort of information. You might pay £5-10 for one set of credit card details, maybe twice that for a full identity," he said.
The details may then be used to shop or take out loans: "It's a very good start for a full case of identity theft."
He urged customers to watch for - and report - any suspicious activity on their bank accounts or credit reports.
A spokesman for the Information Commissioner's Office said: "We have been made aware of an incident at Carphone Warehouse and are making enquiries."
The Metropolitan Police said its Cyber Crime Unit had been notified of the breach by Carphone Warehouse but no formal allegation of a crime had been made.
The Met said it had not had any reports of fraudulent banking activity.
Here are a selection of your comments on this story.
Paul, Liverpool says: I knew something wasn't right when a few days ago I couldn't access the iD Mobile website. I simply put this down to corporate governance. I questioned this further when two days later I still couldn't do so from my own iD mobile phone. Naturally one must ask how much was known and how quickly this attack was mitigated, especially given Talk Talk had been targeted as late as October last year.
David, Romford writes: As a Talkmobile customer, I have just visited the Carphone Warehouse and Talkmobile websites to find out more. Guess what? I could find absolutely no mention of this on either website! It seems like they are trying to sweep this under the carpet. Not good enough.
Ruth comments: I have received the email from Mobiles UK and have contacted my bank etc., and noted the information about credit rating concerns. I have never had an issue with credit rating and have never used these companies. I don't think it's fair that customers like me should now have to consider paying upwards of £14 per month to these credit rating companies just because my records held by Carphone Warehouse have been compromised. I cannot afford to pay this.
Judith, Lee on the Solent says: E2Save - one of those Carphone Warehouse affected accounts - have prevented me from changing my password on my account. If the breach has already taken place, what is the point of bolting the stable door now that my details may have been taken? They should unlock my account so that I can change my password, but they will not let me!
Alan James Bell writes: I've received an email telling me that my account information 'may have been stolen'. So far, my bank accounts look normal. I wanted to check with Experian if someone had applied for a credit card using my details. But, of course, to do so, I have to give Experian all my personal details! In other words, put all my info out there on to yet another server for the Russian / Chinese hackers to exploit!
Vicki tells us: I am a Carphone Warehouse customer and to say the very least I am so unhappy and angry about this situation they have put us in. I hope they will compensate for the worry that everyone is going through right now.