What has Carphone Warehouse lost?

Over the weekend, Carphone Warehouse admitted that it had suffered a data breach and that the records of a number of customers “may have been accessed.”

The problem here is the inexact language of the Carphone Warehouse statement. In order to get something out to the press, they have chosen to cast a very wide net which doesn’t help customers, doesn’t help the brand and certainly doesn’t help investigators.

Carphone Warehouse press release full of “may have’s”

According to the press release: “On August 5th we discovered that the IT systems of a division of Carphone Warehouse in the UK had been breached by a sophisticated cyber-attack. This division operates the websites OneStopPhoneShop.com, e2save.com and Mobiles.co.uk and provides a number of services to iD Mobile, TalkTalk Mobile, Talk Mobile, and to certain customers of Carphone Warehouse.”

It goes on to say: “Our investigation has indicated that personal data which may include name, address, date of birth and bank details of up to 2.4 million customers may have been accessed. Encrypted credit card data of up to 90,000 customers may also have been accessed.” This statement omits to mention email addresses yet later in the press release Carphone Warehouse admits that email addresses would have been part of any data that was stolen.

Note the constant use of the work “may”. In effect, they are saying that they have no clue yet as to what has been stolen which means that all they have is evidence that an attack took place but they have not yet discovered what data was exfiltrated. This has led to widespread confusion in terms of reporting the attack.

Encryption needs to be more than just about credit cards

One question that Carphone Warehouse has to answer urgently is whether it was just encrypted credit card data that was stolen or whether there is any evidence the encryption has been broken. This is a very important distinction because unless the cybercriminals can decrypt the credit card data, it has limited value to them. The fact that credit card data was encrypted makes sense as the Payment Card Industry Data Security Standard (PCI DSS) requires credit card data to always be stored encrypted.

It is likely that at least some of the 2.4 million customers whose name, address, date of birth and bank details may have been taken would have paid by debit card. In that case, it is a requirement of PCI DSS that those details were encrypted. From the wording of the Carphone Warehouse statement, it would appear that none of the customers concerned used their debit cards or if they did, Carphone Warehouse has chosen not to store the debit card data but the underlying bank record which is, at best, poor practice.

The other factor here is that UK law and the UK banking industry do not require companies holding customers bank data to store that encrypted. However it is seen as industry best practice to encrypt any personally identifiable information (PII) and sensitive data that is stored. While best practice has no legal standing it is something that companies should be using as a baseline. In this case it appears to have been ignored by Carphone Warehouse.

In a comment on the news, Mark Bower, Global Director at HP Security Voltage: “It’s a clear signal that contemporary data encryption and tokenization for all sensitive fields, not disk or column level encryption for credit cards, is necessary to thwart advanced attacks that scrape sensitive data from memory, data in use, as well as storage and transmission. Disk encryption protects data at rest, but it’s an all or nothing approach that leaves exploitable gaps: applications needing data have to decrypt it every time. Yet advanced attacks steal data in use and in motion.

“Another problem is that, while firms may focus on credit card data to meet basic PCI compliance, attackers will steal any sensitive data like account data, contact information and so on as they can repurpose it for theft. There are effective defences to this. Today’s new-breed of encryption and tokenization techniques can render data itself useless to attackers, yet functional to business needs. This technology, such as Format-Preserving Encryption, is proven in leading banks, retailers and payment processors who are constantly bombarded and probed by attackers.”

This repurposing of stolen data is nothing new. Last year several security companies reported on the increased use of cloud services such as data analytics by hackers. They were buying access to services using stolen credentials, uploading stolen data dumps and then doing detailed analysis to find as much data on individuals as possible. This enables them to create complete profiles on individuals which are then worth much more to those conducting Identity Theft.

Bower goes on to say :“By securing customer and card data from capture over the data’s journey through stores, branches, databases and analytic systems, businesses can avoid unnecessary decryption required by older generation disk or database encryption techniques. Data can stay protected in use, at rest, and in motion, and stays secure even if stolen. Modern vetted and peer reviewed data encryption is infeasible to break on any realistic basis. Its a win-win for business, as it can be retrofitted to existing systems without complications and business change. Attackers who steal useless data they can’t monetize quickly move on to other targets.”

Who should pay for identity protection?

One of the big surprises here is the difference between a UK and a US data breach. US customers are used to being offered identity theft protection when their details have been stolen typically for 24 to 36 months. In this case, Carphone Warehouse has made no offer to any of its customers to pay for any identity theft cover or access to credit reports. Instead it has left it to customers to foot the bill for its data breach.

How this is affecting customers is unclear. There are posts on several news sites including the BBC and some national newspapers from alleged Carphone Warehouse customers. Some are complaining that they cannot change their details as they are already locked out. With many customers on holiday they are worried about the cost of calling Carphone Warehouse to get their details reset. As Carphone Warehouse has not provided a worldwide freephone number, those costs could be excessive.

There are also some customers complaining that they have already seen suspicious activity on their accounts. The BBC coverage contains the statement: ‘Carphone Warehouse customer Kerri, from Petersfield, in Hampshire, said she believed her email address had been hacked, and “things stolen”, since the breach.’

How does this affect the rest of the group businesses?

At the moment, Carphone Warehouse is keen to make sure that customers of other parts of the business such as Currys, PCWorld, Dixon Travel and KnowHow are not affected. It claims that customer data is stored on separate systems and is therefore protected. With the investigation into the data breach only just beginning it is to be hoped that this is the case.

Until the investigation turns up how the data security was compromised it is hard to be definitive about the security of data in other parts of the business. There will be concerns that the breach occurred due to a failure in existing security controls at which point the entire business will be susceptible as it is unlikely that there will be different standards operating across the entire group.

According to the Metropolitan Police while Carphone Warehouse has notified them of the breach it has not formally alleged a crime has taken place. This may be because Carphone Warehouse is waiting for the results of its own investigation. However, it will need to be careful about how it investigates the breach to ensure that any evidence uncovered is forensically sound or it may compromise any eventual investigation.

With such a high profile breach Carphone Warehouse will also have to assure customers that their details are safe with them. The delays in revealing information either means they are not fully aware of the truth or are conflicted about how to resolve the situation. Sebastian James, CEO will surely want to see this news story taper off before the Christmas rush starts. If trust has been compromised then the company may have a troubled December as customer seek apparently more secure outlets..

Conclusion

It will take some time before we hear from the Information Commissioners Office as to what really happened. At that point it should become clear as to whether this was just a lucky attack or whether the breach was caused by a failure of corporate controls. If the latter then we may see a significant fine handed down.

So to answer the initial question – what has Carphone Warehouse lost? At this moment nobody really knows and they are not giving accurate data.