Carphone Warehouse suffers serious cyber attack
Carphone Warehouse suffers serious cyber attack

Over the weekend, Carphone Warehouse admitted that it had suffered a data breach and that the records of a number of customers “may have been accessed.”

The problem here is the inexact language of the Carphone Warehouse statement. In order to get something out to the press, they have chosen to cast a very wide net which doesn’t help customers, doesn’t help the brand and certainly doesn’t help investigators.

Carphone Warehouse press release full of “may have’s”

According to the press release: “On August 5th we discovered that the IT systems of a division of Carphone Warehouse in the UK had been breached by a sophisticated cyber-attack. This division operates the websites OneStopPhoneShop.com, e2save.com and Mobiles.co.uk and provides a number of services to iD Mobile, TalkTalk Mobile, Talk Mobile, and to certain customers of Carphone Warehouse.”

It goes on to say: “Our investigation has indicated that personal data which may include name, address, date of birth and bank details of up to 2.4 million customers may have been accessed. Encrypted credit card data of up to 90,000 customers may also have been accessed.” This statement omits to mention email addresses yet later in the press release Carphone Warehouse admits that email addresses would have been part of any data that was stolen.

Note the constant use of the work “may”. In effect, they are saying that they have no clue yet as to what has been stolen which means that all they have is evidence that an attack took place but they have not yet discovered what data was exfiltrated. This has led to widespread confusion in terms of reporting the attack.

Encryption needs to be more than just about credit cards

One question that Carphone Warehouse has to answer urgently is whether it was just encrypted credit card data that was stolen or whether there is any evidence the encryption has been broken. This is a very important distinction because unless the cybercriminals can decrypt the credit card data, it has limited value to them. The fact that credit card data was encrypted makes sense as the Payment Card Industry Data Security Standard (PCI DSS) requires credit card data to always be stored encrypted.

It is likely that at least some of the 2.4 million customers whose name, address, date of birth and bank details may have been taken would have paid by debit card. In that case, it is a requirement of PCI DSS that those details were encrypted. From the wording of the Carphone Warehouse statement, it would appear that none of the customers concerned used their debit cards or if they did, Carphone Warehouse has chosen not to store the debit card data but the underlying bank record which is, at best, poor practice.

The other factor here is that UK law and the UK banking industry do not require companies holding customers bank data to store that encrypted. However it is seen as industry best practice to encrypt any personally identifiable information (PII) and sensitive data that is stored. While best practice has no legal standing it is something that companies should be using as a baseline. In this case it appears to have been ignored by Carphone Warehouse.

In a comment on the news, Mark Bower, Global Director at HP Security Voltage: “It’s a clear signal that contemporary data encryption and tokenization for all sensitive fields, not disk or column level encryption for credit cards, is necessary to thwart advanced attacks that scrape sensitive data from memory, data in use, as well as storage and transmission. Disk encryption protects data at rest, but it’s an all or nothing approach that leaves exploitable gaps: applications needing data have to decrypt it every time. Yet advanced attacks steal data in use and in motion.

“Another problem is that, while firms may focus on credit card data to meet basic PCI compliance, attackers will steal any sensitive data like account data, contact information and so on as they can repurpose it for theft. There are effective defences to this. Today’s new-breed of encryption and tokenization techniques can render data itself useless to attackers, yet functional to business needs. This technology, such as Format-Preserving Encryption, is proven in leading banks, retailers and payment processors who are constantly bombarded and probed by attackers.”

This repurposing of stolen data is nothing new. Last year several security companies reported on the increased use of cloud services such as data analytics by hackers. They were buying access to services using stolen credentials, uploading stolen data dumps and then doing detailed analysis to find as much data on individuals as possible. This enables them to create complete profiles on individuals which are then worth much more to those conducting Identity Theft.

Bower goes on to say :“By securing customer and card data from capture over the data’s journey through stores, branches, databases and analytic systems, businesses can avoid unnecessary decryption required by older generation disk or database encryption techniques. Data can stay protected in use, at rest, and in motion, and stays secure even if stolen. Modern vetted and peer reviewed data encryption is infeasible to break on any realistic basis. Its a win-win for business, as it can be retrofitted to existing systems without complications and business change. Attackers who steal useless data they can’t monetize quickly move on to other targets.”

Who should pay for identity protection?

One of the big surprises here is the difference between a UK and a US data breach. US customers are used to being offered identity theft protection when their details have been stolen typically for 24 to 36 months. In this case, Carphone Warehouse has made no offer to any of its customers to pay for any identity theft cover or access to credit reports. Instead it has left it to customers to foot the bill for its data breach.

How this is affecting customers is unclear. There are posts on several news sites including the BBC and some national newspapers from alleged Carphone Warehouse customers. Some are complaining that they cannot change their details as they are already locked out. With many customers on holiday they are worried about the cost of calling Carphone Warehouse to get their details reset. As Carphone Warehouse has not provided a worldwide freephone number, those costs could be excessive.

There are also some customers complaining that they have already seen suspicious activity on their accounts. The BBC coverage contains the statement: ‘Carphone Warehouse customer Kerri, from Petersfield, in Hampshire, said she believed her email address had been hacked, and “things stolen”, since the breach.’

Carphone Warehouse suffers data breach
Carphone Warehouse suffers data breach

How does this affect the rest of the group businesses?

At the moment, Carphone Warehouse is keen to make sure that customers of other parts of the business such as Currys, PCWorld, Dixon Travel and KnowHow are not affected. It claims that customer data is stored on separate systems and is therefore protected. With the investigation into the data breach only just beginning it is to be hoped that this is the case.

Until the investigation turns up how the data security was compromised it is hard to be definitive about the security of data in other parts of the business. There will be concerns that the breach occurred due to a failure in existing security controls at which point the entire business will be susceptible as it is unlikely that there will be different standards operating across the entire group.

According to the Metropolitan Police while Carphone Warehouse has notified them of the breach it has not formally alleged a crime has taken place. This may be because Carphone Warehouse is waiting for the results of its own investigation. However, it will need to be careful about how it investigates the breach to ensure that any evidence uncovered is forensically sound or it may compromise any eventual investigation.

With such a high profile breach Carphone Warehouse will also have to assure customers that their details are safe with them. The delays in revealing information either means they are not fully aware of the truth or are conflicted about how to resolve the situation. Sebastian James, CEO will surely want to see this news story taper off before the Christmas rush starts. If trust has been compromised then the company may have a troubled December as customer seek apparently more secure outlets..

Conclusion

It will take some time before we hear from the Information Commissioners Office as to what really happened. At that point it should become clear as to whether this was just a lucky attack or whether the breach was caused by a failure of corporate controls. If the latter then we may see a significant fine handed down.

So to answer the initial question – what has Carphone Warehouse lost? At this moment nobody really knows and they are not giving accurate data.

1 COMMENT

  1. Well all of this is interesting but keeping in

    mind that people who go through all the trouble of

    obtaining your personal information intend to use

    it in illegal ways. Once one takes the risk of

    breaking the law and committing a crime, there is

    pretty much no way to protect yourself. All the

    precautions in this blog may help against amateur

    hackers, but in reality one’s accounts and

    passwords can be obtained in much simpler ways. I

    have experience with computer viruses and

    especially phishers and keyloggers and anyone

    reading this article should understand that it is

    almost impossible to stay 100% protected if you

    engage in online banking or shopping using credit

    card or other services such as Paypal. Any

    skillful programmer will be able to tell you that

    antivirus programs cannot detect all viruses and

    some can be stealthy and you wont know anything

    while every keystroke on your keyboard is being

    electronically recorded and uploaded to someones

    server. I only know of the ways I have come in

    contact with to obtain access to someones

    computer, but creative hackers are coming up with

    newer and newer security breaches. Even a small

    popup on your web browser could in reality launch

    a stealthy virus of some sort on your computer.

    All this might be frightening and most computer

    users dont undersand the danger they put their

    private information in when they for instance shop

    online or check their bank accounts. There are an

    unthinkable amount of ways to infect someones

    computer but there is only a few ways to protect

    oneself. Perhaps the best, but also somewhat

    annoying and time consuming, is to install a

    separate operating system on your computer to use

    for banking and entering confidential information

    such as credit card number to purchase something

    from an electronic store. I recommend the blackhatcreator@gmail.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here