If you are a customer of British mobile phone retailer Carphone Warehouse be sure to check your inbox – as you may have received an email warning from the company that your personal details could now be in the hands of malicious hackers.
Unfortunately, even if you aren’t a direct customer of Carphone Warehouse you may still be affected. For instance, some 480,000 TalkTalk Mobile customers are also said to be impacted.
Here is a copy of a statement Carphone Warehouse is sharing with people:
What has happened?
On 5 August 2015 we discovered that the IT systems of three of our online UK businesses had been subject to a sophisticated cyber attack. At this stage, our investigation indicates that some of the data held on our systems has been accessed and this may include some personal details, including customer name, address, date-of-birth, bank and encrypted credit card details.
Who is affected?
The three websites affected are onestopphoneshop.com, e2save.com and mobiles.co.uk. These websites also provide a number of services related to mobile phone contracts to iD mobile, TalkTalk mobile, Talk mobile and Carphone Warehouse.
We don’t believe that any other Carphone Warhouse customer data or Currys PC World data has been accessed.
How will I know if I’ve been affected?
We’ve emailed all customers who we believe may have been affected with information and advice.
If you have not received a communication from us regarding your data security, your information should not be impacted and this message does not apply to you.
Naturally, the news of the attack will worry many customers of Carphone Warehouse, TalkTalk, mobiles.co.uk, and the other affected companies that they could be affected.
Customers of mobiles.co.uk have been told for the last few days that the company’s website is down due to “technical difficulties”. Now it seems it’s become a little clear as to what those difficulties were…
Understandably, some customers of the affected mobile phone companies are far from impressed and are turning to Twitter to express their annoyance.
@CPWTweets data hacked on 5th August attempted fraud on my bank account on 6th August coincidence??Today is the 8th why silence for 3 days??
— Dave Hammond (@Dave_CAFC) August 8, 2015
I see @CPWTweets haven't tweeted since it was revealed customers have been hacked! A generic sorry tweet and what to do next would be nice!
— Charlotte Schroeter (@charlotte_a_s) August 8, 2015
Nice to see the chairman of @CPWTweets is "very sorry" about the cyber hack, 2.4m people at risk, including me.
— James (@james1508) August 8, 2015
“We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems,” said Sebastian James, group chief executive of Dixons Carphone in a statement.
Clearly it would be much better if the personal information that hackers have accessed had never fallen into their hands – every piece of personal data about you is a potential extra piece of the jigsaw which can lead to identity theft.
Imagine, for instance, if a company asks you to confirm your identity by telling it the first line of your address, your name and date of birth. Well, that’s now in the hands of hackers…
Naturally people will be concerned even if there is the remotest chance that they might be left out of pocket because of a hack like this. My advice is to keep a close eye on your bank statements, looking out for unusual purchases.
Very little is known publicly about the nature of the hack presently, although chances are that Carphone Warehouse has over the last few days been busy trying to determine the scale of the breach, and ensuring that its systems are no longer vulnerable.
Potentially the hackers could have exploited a poorly secured website which had been misconfigured or not received appropriate security patches or updates. Another possibility is that the attackers simply managed to trick a member of Carphone Warehouse staff into handing over their own credentials used to access customer databases – perhaps through a phishing email, although it’s important to stress that this is just speculation at this stage.
There is no specific mention in the advisory as to whether passwords and email addresses might have been put at risk by the hack, but I think it would be wise for customers to assume the worst, and consider changing their passwords.
Importantly, you should never use the same password on different websites. The reason is that if a password for one website falls into the hands of hackers, the last thing you want is for online criminals to then use that same password to unlock your other online accounts, such as your email.
Additionally, if it is found that email addresses were also compromised there is the potential for malicious spam and phishing campaigns against Carphone Warehouse customers.
I couldn’t find any mention of the data breach on Carphone Warehouse’s website at the time of writing, but – for more information – check out this BBC News report.