Details of up to 2.4 million Carphone Warehouse customers may have been accessed in a cyber-attack
Carphone Warehouse has admitted that hackers have gained access to the personal details of 2.4 million customers and that up to 90,000 customers may also have had their encrypted credit card details accessed.
The company announced that the IT systems of one of its UK divisions were found to have been breached on Wednesday, having been subjected to a “sophisticated cyber-attack” within the last fortnight.
The company’s investigation found that the data could have included names, addresses, dates of birth and bank details.
A Carphone Warehouse spokesman said the attack was stopped “straight away” after it was discovered on Wednesday afternoon. He also said the breach was likely to have occurred at some point “within the last two weeks before Wednesday afternoon”.
The division operates the the websites OneStopPhoneShop.com, e2save.com and Mobiles.co.uk. All three of the websites were offline on Saturday afternoon as details of the attack were made public.
It also provides services to iD Mobile, TalkTalk Mobile, Talk Mobile and some Carphone Warehouse customers.
Carphone Warehouse, which is owned by Dixons Carphone following last year’s £3.7bn merger, also incorporates Currys and PC World. The retailer’s owner, Dixons Carphone, said it was very sorry for the attack.
Sebastian James, chief executive of Dixons Carphone, said:
“We are, of course, informing anyone that may have been affected, and have put in place additional security measures.
“We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems.”
Carphone Warehouse took the affected websites down itself, to protect data once the problem was recognised.
Customer information for Currys and PC World – and the “vast majority” of Carphone Warehouse – is held on separate systems and was not accessed during the attack, the company added.
Carphone Warehouse said it was informing all customers who may have been affected of the breach.
“I am writing to you as a precaution after we discovered on the 5th August that some of our IT systems had been subjected to a sophisticated cyber attack.
We immediately took action to secure these systems and launched a full investigation with a leading cyber security firm to help us understand the impact of this attack. Our investigation is still going on.
At this stage, our investigation indicates that some of the data held on our systems from customers and people who have previously provided information to the company has been accessed. This may include some of your personal details, including your name, address, date of birth and bank details.
We take the security of your data extremely seriously, and we have put in place additional security measures to prevent further attacks. Nevertheless, we felt it was important to let you know as soon as possible.
To reduce the risk of fraudulent activity, we recommend that you consider taking the following steps:
• Notifying your bank and credit card company, so that they can monitor activity on your account
• Checking for suspicious or unexpected online or account activity
• Be wary of anyone calling asking for personal information, bank details or passwords
• You can check your credit rating to make sure no one has applied for credit in your name. You can do this by visiting Experian or Equifax.If you think you have been a victim of fraud you should report it to Action Fraud, the UK?s national fraud and internet crime reporting centre, on 0300 123 2040.
I appreciate that this is potentially concerning for you and I am very sorry that this attack on us has caused this inconvenience.”
It will also advise affected individuals on how to reduce the risk of further consequences arising from the data leak.
Those who think they have been the victim of fraud should contact Action Fraud on 0300 123 2040.