back to article Carphone Warehouse coughs to MONSTER data breach – 2.4 MEELLION Brits at risk

Carphone Warehouse has taken three days to go public about a serious data breach affecting nearly 2.5 million customers – with the confession that up to 90,000 subscribers may have had their credit card info ransacked. The company said on Saturday afternoon that it had first discovered its systems had been violated by a " …

  1. Grikath

    Your customer details...

    The new Gold, better than gold!

    That's how many in the past two months? Some people have been really, really busy..

    1. Zog_but_not_the_first
      Windows

      Re: Your customer details...

      And who's the new front running in slurping customer details? Microsoft!

      1. Danny 14

        Re: Your customer details...

        I voluntarily give Microsoft my details each year. I sign many agreements with my name, address and other details, I also sign electronic agreements with my info too. I get sent one email per year from them, I have never had an unsolicited email, phone call or snail mail from them.

        1. Hans 1

          Re: Your customer details...

          >I have never had an unsolicited email, phone call or snail mail from them.

          Not from them, but from "partners", maybe ?

  2. Destroy All Monsters Silver badge
    Holmes

    mega data breach.?

    With 90'000 customers affected, it's more like a kilo data breach.

    Eagerly waiting for the song "summer of breaches" by some nu metal band. "BreeeAACHHESSS!! RoooROOORrrooo"

  3. Anonymous Coward
    Anonymous Coward

    They fuck up, you have to sort it out?

    So Carphone Warehouse get hacked. Its always a sophisticated hack because they can't admit their security is utter shite, I'm surprised they don't claim they were hacked by a Nation State to try and shift the blame elsewhere.

    They then compound their stupidity by telling the customer its their responsibility to sort out issues. What a bunch of utter clueless fuckwits. I'm pleased I pay for all my PAYG with cash as I need it.

    Epic fail.

    1. ecofeco Silver badge

      Re: They fuck up, you have to sort it out?

      What? You've never heard the phrase "privatize the profits, socialize the losses?"

      What's even more amazing is that people put up with this shit. Truly, we have the governments we deserve.

    2. Anonymous Coward
      Anonymous Coward

      Re: They fuck up, you have to sort it out?

      As they have the bank and credit card details on-hand then they should be informing the banks directly. I cannot see any excuse for them not to.

      Oh wait, that would cost more. How much is a ruined reputation worth these days?

  4. Steve Crook

    Sophisticated...

    So obviously not our fault. What could we do? So no compensation for all the inconvenience changing CC details, passwords, pins and ongoing identity theft risk, because, well, how could we ever be expected to defend ourselves against an attack as sophisticated as that.

    Yeah, right. Funny how *all* these attacks are sophisticated.

    1. Salts

      Re: Sophisticated...

      Just come to say much the same thing "sophisticated cyber attack" short for we did not apply the patches, left the password at default etc.

      1. Captain DaFt

        Re: Sophisticated...

        And how are we supposed to know when "Bob" from accounting calls asking for his password, that it's not him?

        That twat can never remember his password!

        1. John Sanders
          Flame

          Re: Sophisticated...

          By having 2 factor authentication Bob should use a key of some sort besides his password.

          1. Danny 14

            Re: Sophisticated...

            bob lost his dongle AND changed address to Nigeria at the same time. It took a week to mail a new one to him so we could change his password.

          2. kmac499
            Happy

            Re: Sophisticated...

            'By having 2 factor authentication Bob should use a key of some sort besides his password.'

            He did, we texted the auth code to his phone... D'oh

  5. Doctor Syntax Silver badge

    The usual waffle about announcing a breach and then saying your security is important to us. Has it just become important now it's too late? Possibly. It'd be a bit tough to claim that it had been important prior to the breach.

    1. Roq D. Kasba

      Compared to the level of competence of the staff on my local branch, URL parameter stuffing would be sophisticated.

      1. Roq D. Kasba

        Downvoters, just a question - do you know where I live and the branch I'm referring to and the staff are your stepsiblings or something? I can't believe it's you personally, as if you're able to comprehend The Reg, you're not telling me technical lies.

        1. Shades

          Sorry

          Had to downvote your post about downvotes because, well, thats generally what happens around these parts. There's been many a time I've started to write a rant about downvotes on my posts, even on posts that contain simple undeniable facts rather than opinions, but then thought better of it. Its best just to ignore them.

          1. Roq D. Kasba

            Re: Sorry

            Lol cheers Shades, I'm running a balance of 6000 more up votes than down, so can take the hit (especially as points don't, apparently, make prizes). Please do the honourable and down vote this post as well, just because commentards.

            +1 for you by the way

            1. IsJustabloke
              Facepalm

              Re: Sorry

              Well I'm glad that you feel nice and validated by all the up votes.

    2. sysconfig

      "The usual waffle about announcing a breach and then saying your security is important to us."

      I have a lot of important things on my To-Do list as well... doesn't mean that I will tackle them any time soon, since there are different shades of importance, and then there's priorities, and meetings about priorities and backlogs with lots of important things... Sounds familiar, Carphone Warehouse?

  6. Swiss Anton

    Security Certification ?

    Are there any recognised qualifications that I could try for to prove that I have been trained to a suitable level in the design of secure computing systems? Something like the Microsoft Certified Professional programmes.

    It seems to me that the industry should start insisting on such things. Recently I've been looking at a lot of job adverts, but haven't seen any requiring knowledge of IT security.

    1. Anonymous Coward
      Anonymous Coward

      Re: Security Certification ?

      Are there any recognised qualifications that I could try for to prove that I have been trained to a suitable level in the design of secure computing systems?

      Lots and they are about as effective as an MCP.

      Recently I've been looking at a lot of job adverts, but haven't seen any requiring knowledge of IT security.

      If you look for IT Security jobs you will see this.You really will.

      There are dozens and dozens of IT security certification schemes and training courses. It is very much courses for horses, and everyone will have an opinion as to which are good and which are crap. The SANS courses are generally very, very well regarded but they arent for everyone.

      1. Swiss Anton

        Re: Security Certification ?

        I'm not looking for an IT security job, its more that all IT jobs should have a proven competency in IT security as an absolute requirement. Sadly they don't. Until then such SNAFUs will keep on happening. I do take your point about SANS, but I am thinking more along the lines of something like an NVQ in IT security as being a minimum for all IT professionals.

        1. Anonymous Coward
          Anonymous Coward

          Re: Security Certification ?

          "its more that all IT jobs should have a proven competency in IT security as an absolute requirement" -- Swiss Anton

          IT jobs don't even require proven competency in IT, let alone the subcategory of security. With a degree in genetics and a PhD in biochemistry this suits me, although it staggers me that after a few hours reading code in a language I didn't know before, I can spot huge errors (by which I mean ones that are simultaneously trivial and massive) committed by soi disant software 'engineers' or even 'architects', more often than not with the hideously undeserved prefix of 'senior' or even 'principal'.

          The problem is always (upper) management. They are the ones who tell HR to hire from the very bottom of the barrel; the ones that feel almost any form of testing is a waste of budget; and the ones who, time and time again, emerge absolutely scot-free, shrugging off any consequences, either direct (fines or jail time) or indirect (damage to their careers).

          Although it would be nice to think this is a problem that could be approached from the bottom, with certification, professional bodies and meaningful qualifications, after a few decades in the industry I am more and more convinced that it can only be solved top-down. It should not be acceptable for CEOs to issue, via their spokestards, meaningless apologies referring to utterly unsubstantiated 'sophistication'; notifying the authorities too late ('because we wanted to establish the scale of the breech') and transferring all responsibility for cleaning up the mess onto the victims themselves.

          1. Anonymous Coward
            Anonymous Coward

            Inadequate security measures = BREAKING THE LAW

            The Data Protection Act requires that: "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

            Failure to comply can lead to fines for the company and the company directors.

            So if CW cannot demonstrate that the technical and organisational measures they had in place were "appropriate" [in the light of increasing prevalence of cyber attacks] then both the company and its directors may be liable for HEFTY FINES.

            1. Tom_

              Re: Inadequate security measures = BREAKING THE LAW

              Being as they could improve security at the drop of a hat when something went wrong, I'd say they've demonstrated that the measures they had in place were inadequate at the time of the breech.

              1. .stu

                Re: Inadequate security measures = BREAKING THE LAW

                The improved security consists of taking the customer login portal offline.

        2. Alister

          Re: Security Certification ?

          I'm not looking for an IT security job, its more that all IT jobs should have a proven competency in IT security as an absolute requirement. Sadly they don't. Until then such SNAFUs will keep on happening.

          You could have every member of your IT staff trained and qualified in IT Security, but if your beancounters and middle management don't have an appreciation of the need for security, it ain't going to be implemented correctly.

    2. Synonymous Howard

      Re: Security Certification ?

      Yes (if you must get certified) ...

      SSCP for techies

      CISSP for architects, managers and techies

      They are comprehensive on the best practices... Just reading a CISSP or SSCP study guide and applying the detail would be a good start.

      There are also good best practice guides from SANS and OWASP.

      Don't get hung up on cyber security job titles though .. my job entails security engineer, analyst and architect roles but I've been too busy over the last 20 years to get certified.

    3. Hans 1

      Re: Security Certification ?

      >Are there any recognised qualifications that I could try for to prove that I have been trained to a suitable level in the design of secure computing systems? Something like the Microsoft Certified Professional programmes.

      You forgot the Joke icon, my friend. MCP, MCSE, or MCSD, to anybody knowlegeable in Casio or Texas Instruments calculators or more advanced IT systems means window and surface specialist, good with vacuum cleaners and mops, not to be allowed near anything digital.

  7. Zot

    "additional security measures"

    [in a Forest of Dean voice]

    Yarp, 'cos down the forest we don't lock our doors, see! No need to, right?

    1. Richard Taylor 2
      Devil

      Re: "additional security measures"

      The but then in 'the forrest' if you are caught snaffling someones possessions then it is likely to be a Glos version of the Wicker Man end for you.

  8. John Miles

    Next week's Board meeting

    Can we sell our victims customers insurance for ID fraud from when we get hacked next?

    1. Anonymous Coward
      Anonymous Coward

      Re: Next week's Board meeting

      Sounds like a good idea to me, now if only the insurer had some suitable software for allowing their customers to buy themselves some protection ... Do I know you John?

  9. Dan 55 Silver badge
    Holmes

    Why 90,000 customers out of 2.5 million?

    It'd be nice if they could say which kind of customer their card details taken. Are they the easily led astray who paid for phone insurance or some other 'value added service' with a recurring payment?

    1. Michael Jennings

      Re: Why 90,000 customers out of 2.5 million?

      When you sign up for a contract, they usually ask for your bank account details for the direct debit for your monthly payment, and they also ask for your credit card details. If there is any up-front charge, they normally charge this to a credit card. If there isn't, they normally make a tiny charge (1p, sometimes) to the credit card as a form of identity verification. (Credit card companies don't like this practice, but it still happens fairly often).

      Carphone Warehouse have bought many other businesses over the years. This includes a number of web based mobile phone dealers - e2save, mobiles.co.uk and onestopphoneshop. They have typically kept these brands alive as separate brands. If you go to their websites, it is not obvious that they are Carphone Warehouse unless you read the small print (although if you actually buy a contract from them, they then become open about it after you have signed up). The prices on these websites are usually better than those on Carphone's own branded website or in their store, so I have bought phone contracts that way. I haven't yet received an e-mail from them telling me that they have lost my data, but maybe I will.

      What it seems is that Carphone have not fully (or possibly at all) integrated their customer records from all the businesses that they have bought. Probably their systems are a horrible ad-hoc mess of incompatible systems nastily stitched together. Security practices are probably inconsistent and of varying quality. They have therefore had some customer records compromised and not others, and they took three days figuring out precisely which.

      1. Dan 55 Silver badge
        Thumb Up

        Re: Why 90,000 customers out of 2.5 million?

        That'd explain why some records are encrypted and others aren't.

  10. ecofeco Silver badge

    Another week...

    ...another million user records hack.

    *sigh*

    1. JonP

      Re: Another week...

      ...and within the next week or so there'll be another article about how we all use/re-use bad passwords. As if that will make any difference. I try to make an effort with passwords for any site I give my credit card/personal details to, but clearly I might as all well use "password" for all the good it'll do.

  11. Anonymous Coward
    Anonymous Coward

    Why did they still have people bank details beyond the requirements of needing them?

    Am I missing the point but having signed up to a contract last year (2 year contract) where the direct debit is set up and charged via the service provider (CPW work on commission) - why are they storing my details used at the point of initiating the contract that should no longer be needed?

    If they did not have them (as no longer required) would that not limit everyone's risk? and doesn't the data protection act say something along the lines of not storing data beyond its requirement?

    To top it off their resolution is solely to say email a sorry letter inferring the clients pick up the bill on time, effort and payment to other companies that may be incurred for their failure (minimum should be signing up those breached to on going free credit checks for a certain period of time).

    1. Steve Davies 3 Silver badge

      Re: Why did they still have people bank details beyond the requirements of needing them?

      But...

      If they did not have them (as no longer required) would that not limit everyone's risk? and doesn't the data protection act say something along the lines of not storing data beyond its requirement?

      The other bits of HMG that are not subject to that law (MI5/MI6/CGHQ etc) will demand that those records are kept for at least 10 years. Can't have the plebs laundering a few squid now can we eh? Gotta keep track of everyone just in case they start supporting IS etc etc etc

      Then there is the Taxman (cometh). They are a whole different Kettle (EU Size approved naturally) of Fish.

      So do you really want to be the person who deletes some possible vital (in the eyes of somene else) bit of data?

      1. Ken Hagan Gold badge

        Re: Why did they still have people bank details beyond the requirements of needing them?

        "The other bits of HMG that are not subject to that law (MI5/MI6/CGHQ etc) will demand that those records are kept for at least 10 years."

        Simple solution: CW copy all the records that they no longer need onto a USB stick, delete the records from their own systems, and give the stick to the spooks. Any subsequent breaches of those records can be blamed on GCHQ.

        But yeah, the spooks aren't actually *helping* the nation's IT security if they force commercial entities to retain records long after they have any value to the commercial entity that is paying for the storage.

  12. Spt101

    Utterly rubbish. Why should I have to pay for credit and security checks/alerts with people like Experian because Dixons Carphone can't be bothered to do security properly themselves?

    I got the email about my credit card details being compromised as a Mobiles.co.uk customer even though I got a contract with o2 through them over 6 months ago and I pay o2 directly. Why have they held my card details??

    Obviously cannot and should not be trusted.

    1. Anonymous Coward
      Anonymous Coward

      You shouldn't - if they were genuinely interested in their negligence and in showing good faith they would have already contacted the likes of Experian and negotiated a deal to cover all those to be able to check for a period of time (I vaguely remember Worcester City Council losing personal data and covering those impacted for 2 years along with enrolment into other monitoring schemes)

      By the email advising they are limiting their liabilities, placing the onus on you whilst knowing only a few will run the gauntlet on the financial lose accrued in following their guidance due to their issue i.e. £90 x 1000 customers not giving up the blockers in pursuing financial loss is a lot less than 2.4 million customers x £5 (p.s. I am speculating this is how they will look at it - the £90 is 6 months Experian cover - the £5 is a complete guess but would be surprised if they could not get it below that).

  13. Anonymous Coward
    Anonymous Coward

    Here's the most astonishing part

    See conversation, https://twitter.com/TalkTalkCare/status/630093277144948736 They are admitting that passwords were NOT encrypted!? This has to be a joke or someone on the help desk that doesn't know what they're talking about?

    1. Doctor Syntax Silver badge

      Re: Here's the most astonishing part

      AFAICT this is TalkTalk helpdesk's response to their customers who signed up via Carphone Warehouse. So it's not difficult to envisage the situation that TT encrypt (?hash) customer passwords at their end but CW don't leading to a situation where only some TT customers, those from CW, have unencrypted passwords floating about and the rest don't.

      Not being a customer of either I'm not sure about processes here but does this imply that the same password is being passed between the companies?

  14. Anonymous Coward
    Anonymous Coward

    Amazing....

    Someone from TalkTalkCare has admitted on Twitter that some of the passwords stolen were NOT encrypted... I mean really? How does that happen in 2015??

    1. Danny 14

      Re: Amazing....

      passwords shouldn't have been reversible never mind encrypted.

  15. Bob McBob
    FAIL

    Crying out for a regulator with teeth

    Some serious fines need to be made for firms to pull their fingers out of their backsides. The max 500K fine is a joke. Hopefully the proposed european data protection regs will go someway to deal with this.

  16. thomas k

    name change in order?

    OneStopCreditCardInfoShop.com

  17. vmistery

    Looking forward to finding out why they still have my details on record 2 years after ordering a contract. They is 0 reason for my bank details to be stored for that long and shows a serious lack of thought about security. I am also looking forward to them sucking it up and ensuring everyone's banks are contacted on their behalf and free fraud monitoring services for all former customers. You can bet I am a former customer by the way.

  18. This post has been deleted by its author

  19. Anonymous Coward
    Anonymous Coward

    Yes but no but....

    Until someone makes the fuck-tards at the top responsible for the security of the data they are supposed to be protecting things will rarely change.

    I know for a fact that senior management regard IT and especially IT security as nothing but a money pit, and they WILL cut every penny or refuse to invest the money required to ensure that customer data is secure. I am going through this yet again now - all in the name of making things 'simpler', which in actual fact is really making things less secure.

  20. Anonymous Coward
    Anonymous Coward

    We take our customers' security very seriously ...

    ... and we have done ever since Wednesday.

    WHY are they allowed to say this without journalists laughing in their faces? It's no different to being pulled over by the cops for doing 60 in a 30 limit and telling them earnestly "I always drive very carefully."

    I also love the way on the TV news this morning they said "The attack was detected --- and stopped --- on Wednesday" STOPPED? Do me a favour; are we supposed to imagine a plucky CW IT security bod stopping an ominously moving progress bar by rapidly entering keystrokes at a command line, resulting in a whole screen blinking message "ATTACK STOPPED AT 10%". LIES LIES LIES.

    Finally, If it turns out the attack wasn't really that 'sophisticated', any organisation responding with a claim that it was should have their punishment automatically increased for LYING. Not telling the ICO straight away because "we wanted to assess the size of the breach" ALSO LYING. This last lie is so bad that it should warrant an additional fine big enough to seriously damage the long term viability of any company that uses it.

    1. Danny 14

      Re: We take our customers' security very seriously ...

      depends how shit their sql server was. "luckily we had never defragged that table"

    2. Ken Hagan Gold badge

      Re: We take our customers' security very seriously ...

      "Finally, If it turns out the attack wasn't really that 'sophisticated', any organisation responding with a claim that it was should have their punishment automatically increased for LYING."

      Mechanisms do exist for that. If customers notify their banks (and yes, I agree it shouldn't be their job) then the losses will be carried by the banks. These banks *ought* therefore to turn round to CW and say "Your fees for next year (and beyond) will be significantly higher because you are demonstrably shit and costing us a good deal more than simply transaction costs."

      Whether the banks can be bothered, however, is another matter. I expect the costs will simply be passed on until they hit someone who can't pass them on further. That would be you and me.

  21. Gerry 3

    Always the same two passwords...

    Why on earth does a mobile phone company need your Date of Birth? The first rule of security is never to share passwords, and the second is never to to use a password that can be easily found out or guessed.

    Yet the standard security questions used by almost all organisations are Date of Birth and Mother's Maiden Name. Disclose those to one and you've effectively let them hack in to all your accounts everywhere.

    1. Danny 14

      Re: Always the same two passwords...

      credit search.

  22. Michael Jennings

    I've done business with this bit of CPW. They are cheap. I have received customer service and sales calls from them on occasion, though, in which they have called me, have attempted to sell me an upgrade, I have said yes, and then they have asked me for my address, date of birth, mother's maiden name etc in order that I identify myself. I have refused, on the basis that I don't give personal information to people who have called me, although I might when I have called them. They have then been mystified as to why the two cases might be different. This is not inspiring.

  23. lukewarmdog

    Sophisticated

    Is there a graph somewhere I don't know about which shows how good an attack was versus how good the security on a site was?

    Or a sliding scale maybe starting off with brute force on the left with 0 day attacks on the right?

    I have no idea how they get actually measured. Is there not an el reg measuring tool? Like half an opm based purely on the numbers used and the probability of it being a nation state sponsored attack?

  24. sjbyrneuk

    Hold on a minute...

    Sure there was a data breach with lots of personal information stolen but "... with the confession that up to 90,000 subscribers may have had their credit card info ransacked.... Encrypted credit card data of up to 90,000 customers may have been lifted by malefactors... ".

    Whoa... did they nick the crypto keys too?? If not then it's useless to them, right? This piece of journalism is too sensationalist and obviously wrong. El Reg, you should know better.

  25. MightyPots

    I really dont get how in todays world, where it is not IF you get attacked but WHEN you get attacked; these companies are still refusing to invest in post breach tech and forensics!

    Seriously... whatever happened to being accountable? whatever happened to business reputation damage limitation? Whatever happened to protecting your most valuable assets... Your bloody customers!!!

    There is no excuse for sloppy security. There is enough tech out there now to investigate an attack as it happens, see what happened 10 minutes before, 10 minutes after AND know exactly what was taken.

    Its just lazy and arrogant not to protect your IP and customers. I hope millions walk from their shocking service. Much better than any fine imposed.

  26. chris 48

    Subject Access Request

    Could someone who has received one of these "We may have leaked some of your details. Our screwup, your problem" emails send Carphone Warehouse a subject access request to find out exactly what information they hold on you? If they send you back your own unencrypted password and credit card details then you know you have to worry.

    https://ico.org.uk/for-the-public/personal-information/

  27. tiesx150

    Encrypted or not?

    So,,,, this just news-fodder for the media or was this a serious data breach/theft?

    If all that was stolen were encrypted card details then thats as much use to criminals as an igloo in Australia....

    I will admit that having details stolen due to a breach is embarrassing but thats why important data encrypted in the first place!

    What gives? Are CFW not telling us something? Encrypted data isn't any use to anyone unless they have the means to decrypt it, why didnt they announce that whilst data was taken it was safe and inaccessible and therefore 'no need to panic'....or was it the media that failed to mention that...?

    1. sjbyrneuk

      Re: Encrypted or not?

      From the scant details we've been given by the press it looks like the thieves got away with a lot of personal data, which is obviously bad, but the cardholder data was encrypted, so no big deal. I agree with you, that bit of the story should be held up as a good news story. They complied with PCI DSS and others.

      After these events are published a ruck of smug smart 4rses comment on how they company that was attacked is to blame. If a thief breaks into a petrol station we don't pillory the station for not having an armed SWAT team available instead of relying on a burglar alarm!! In InfoSec cases we seem to glorify the hacker and castigate the victim. They and other companies are having to pay ridiculous amounts of money to stop these thieves from breaking in and stealing stuff. There's something not quite right there. Let's start referring them to thieves instead of hackers and maybe that will help change perspective.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like