back to article Carphone Warehouse coughs to MONSTER data breach – 2.4 MEELLION Brits at risk

Carphone Warehouse has taken three days to go public about a serious data breach affecting nearly 2.5 million customers – with the confession that up to 90,000 subscribers may have had their credit card info ransacked. The company said on Saturday afternoon that it had first discovered its systems had been violated by a " …

Your customer details...

The new Gold, better than gold!

That's how many in the past two months? Some people have been really, really busy..

5
0
Silver badge
Windows

Re: Your customer details...

And who's the new front running in slurping customer details? Microsoft!

11
6
Silver badge

Re: Your customer details...

I voluntarily give Microsoft my details each year. I sign many agreements with my name, address and other details, I also sign electronic agreements with my info too. I get sent one email per year from them, I have never had an unsolicited email, phone call or snail mail from them.

1
1
Silver badge

Re: Your customer details...

>I have never had an unsolicited email, phone call or snail mail from them.

Not from them, but from "partners", maybe ?

1
0
Silver badge
Holmes

mega data breach.?

With 90'000 customers affected, it's more like a kilo data breach.

Eagerly waiting for the song "summer of breaches" by some nu metal band. "BreeeAACHHESSS!! RoooROOORrrooo"

4
1
Anonymous Coward

They fuck up, you have to sort it out?

So Carphone Warehouse get hacked. Its always a sophisticated hack because they can't admit their security is utter shite, I'm surprised they don't claim they were hacked by a Nation State to try and shift the blame elsewhere.

They then compound their stupidity by telling the customer its their responsibility to sort out issues. What a bunch of utter clueless fuckwits. I'm pleased I pay for all my PAYG with cash as I need it.

Epic fail.

29
0
Silver badge

Re: They fuck up, you have to sort it out?

What? You've never heard the phrase "privatize the profits, socialize the losses?"

What's even more amazing is that people put up with this shit. Truly, we have the governments we deserve.

12
2
Anonymous Coward

Re: They fuck up, you have to sort it out?

As they have the bank and credit card details on-hand then they should be informing the banks directly. I cannot see any excuse for them not to.

Oh wait, that would cost more. How much is a ruined reputation worth these days?

5
0

Sophisticated...

So obviously not our fault. What could we do? So no compensation for all the inconvenience changing CC details, passwords, pins and ongoing identity theft risk, because, well, how could we ever be expected to defend ourselves against an attack as sophisticated as that.

Yeah, right. Funny how *all* these attacks are sophisticated.

16
0

Re: Sophisticated...

Just come to say much the same thing "sophisticated cyber attack" short for we did not apply the patches, left the password at default etc.

4
0
Silver badge

Re: Sophisticated...

And how are we supposed to know when "Bob" from accounting calls asking for his password, that it's not him?

That twat can never remember his password!

2
0
Silver badge
Flame

Re: Sophisticated...

By having 2 factor authentication Bob should use a key of some sort besides his password.

0
0
Silver badge

Re: Sophisticated...

bob lost his dongle AND changed address to Nigeria at the same time. It took a week to mail a new one to him so we could change his password.

4
0
Silver badge
Happy

Re: Sophisticated...

'By having 2 factor authentication Bob should use a key of some sort besides his password.'

He did, we texted the auth code to his phone... D'oh

0
0
Silver badge

The usual waffle about announcing a breach and then saying your security is important to us. Has it just become important now it's too late? Possibly. It'd be a bit tough to claim that it had been important prior to the breach.

7
0

Compared to the level of competence of the staff on my local branch, URL parameter stuffing would be sophisticated.

0
3

Downvoters, just a question - do you know where I live and the branch I'm referring to and the staff are your stepsiblings or something? I can't believe it's you personally, as if you're able to comprehend The Reg, you're not telling me technical lies.

1
2

Sorry

Had to downvote your post about downvotes because, well, thats generally what happens around these parts. There's been many a time I've started to write a rant about downvotes on my posts, even on posts that contain simple undeniable facts rather than opinions, but then thought better of it. Its best just to ignore them.

3
0

Re: Sorry

Lol cheers Shades, I'm running a balance of 6000 more up votes than down, so can take the hit (especially as points don't, apparently, make prizes). Please do the honourable and down vote this post as well, just because commentards.

+1 for you by the way

1
3

"The usual waffle about announcing a breach and then saying your security is important to us."

I have a lot of important things on my To-Do list as well... doesn't mean that I will tackle them any time soon, since there are different shades of importance, and then there's priorities, and meetings about priorities and backlogs with lots of important things... Sounds familiar, Carphone Warehouse?

0
0
Silver badge
Facepalm

Re: Sorry

Well I'm glad that you feel nice and validated by all the up votes.

0
0

Security Certification ?

Are there any recognised qualifications that I could try for to prove that I have been trained to a suitable level in the design of secure computing systems? Something like the Microsoft Certified Professional programmes.

It seems to me that the industry should start insisting on such things. Recently I've been looking at a lot of job adverts, but haven't seen any requiring knowledge of IT security.

1
0
Anonymous Coward

Re: Security Certification ?

Are there any recognised qualifications that I could try for to prove that I have been trained to a suitable level in the design of secure computing systems?

Lots and they are about as effective as an MCP.

Recently I've been looking at a lot of job adverts, but haven't seen any requiring knowledge of IT security.

If you look for IT Security jobs you will see this.You really will.

There are dozens and dozens of IT security certification schemes and training courses. It is very much courses for horses, and everyone will have an opinion as to which are good and which are crap. The SANS courses are generally very, very well regarded but they arent for everyone.

1
0

Re: Security Certification ?

I'm not looking for an IT security job, its more that all IT jobs should have a proven competency in IT security as an absolute requirement. Sadly they don't. Until then such SNAFUs will keep on happening. I do take your point about SANS, but I am thinking more along the lines of something like an NVQ in IT security as being a minimum for all IT professionals.

1
0

Re: Security Certification ?

Yes (if you must get certified) ...

SSCP for techies

CISSP for architects, managers and techies

They are comprehensive on the best practices... Just reading a CISSP or SSCP study guide and applying the detail would be a good start.

There are also good best practice guides from SANS and OWASP.

Don't get hung up on cyber security job titles though .. my job entails security engineer, analyst and architect roles but I've been too busy over the last 20 years to get certified.

0
0
Anonymous Coward

Re: Security Certification ?

"its more that all IT jobs should have a proven competency in IT security as an absolute requirement" -- Swiss Anton

IT jobs don't even require proven competency in IT, let alone the subcategory of security. With a degree in genetics and a PhD in biochemistry this suits me, although it staggers me that after a few hours reading code in a language I didn't know before, I can spot huge errors (by which I mean ones that are simultaneously trivial and massive) committed by soi disant software 'engineers' or even 'architects', more often than not with the hideously undeserved prefix of 'senior' or even 'principal'.

The problem is always (upper) management. They are the ones who tell HR to hire from the very bottom of the barrel; the ones that feel almost any form of testing is a waste of budget; and the ones who, time and time again, emerge absolutely scot-free, shrugging off any consequences, either direct (fines or jail time) or indirect (damage to their careers).

Although it would be nice to think this is a problem that could be approached from the bottom, with certification, professional bodies and meaningful qualifications, after a few decades in the industry I am more and more convinced that it can only be solved top-down. It should not be acceptable for CEOs to issue, via their spokestards, meaningless apologies referring to utterly unsubstantiated 'sophistication'; notifying the authorities too late ('because we wanted to establish the scale of the breech') and transferring all responsibility for cleaning up the mess onto the victims themselves.

3
0
Anonymous Coward

Inadequate security measures = BREAKING THE LAW

The Data Protection Act requires that: "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

Failure to comply can lead to fines for the company and the company directors.

So if CW cannot demonstrate that the technical and organisational measures they had in place were "appropriate" [in the light of increasing prevalence of cyber attacks] then both the company and its directors may be liable for HEFTY FINES.

0
0

Re: Inadequate security measures = BREAKING THE LAW

Being as they could improve security at the drop of a hat when something went wrong, I'd say they've demonstrated that the measures they had in place were inadequate at the time of the breech.

1
0
Silver badge

Re: Security Certification ?

I'm not looking for an IT security job, its more that all IT jobs should have a proven competency in IT security as an absolute requirement. Sadly they don't. Until then such SNAFUs will keep on happening.

You could have every member of your IT staff trained and qualified in IT Security, but if your beancounters and middle management don't have an appreciation of the need for security, it ain't going to be implemented correctly.

0
0
Silver badge

Re: Security Certification ?

>Are there any recognised qualifications that I could try for to prove that I have been trained to a suitable level in the design of secure computing systems? Something like the Microsoft Certified Professional programmes.

You forgot the Joke icon, my friend. MCP, MCSE, or MCSD, to anybody knowlegeable in Casio or Texas Instruments calculators or more advanced IT systems means window and surface specialist, good with vacuum cleaners and mops, not to be allowed near anything digital.

0
0

Re: Inadequate security measures = BREAKING THE LAW

The improved security consists of taking the customer login portal offline.

0
0
Zot

"additional security measures"

[in a Forest of Dean voice]

Yarp, 'cos down the forest we don't lock our doors, see! No need to, right?

1
0
Bronze badge
Devil

Re: "additional security measures"

The but then in 'the forrest' if you are caught snaffling someones possessions then it is likely to be a Glos version of the Wicker Man end for you.

1
0

Next week's Board meeting

Can we sell our victims customers insurance for ID fraud from when we get hacked next?

3
1
Anonymous Coward

Re: Next week's Board meeting

Sounds like a good idea to me, now if only the insurer had some suitable software for allowing their customers to buy themselves some protection ... Do I know you John?

0
0
Silver badge
Holmes

Why 90,000 customers out of 2.5 million?

It'd be nice if they could say which kind of customer their card details taken. Are they the easily led astray who paid for phone insurance or some other 'value added service' with a recurring payment?

1
0

Re: Why 90,000 customers out of 2.5 million?

When you sign up for a contract, they usually ask for your bank account details for the direct debit for your monthly payment, and they also ask for your credit card details. If there is any up-front charge, they normally charge this to a credit card. If there isn't, they normally make a tiny charge (1p, sometimes) to the credit card as a form of identity verification. (Credit card companies don't like this practice, but it still happens fairly often).

Carphone Warehouse have bought many other businesses over the years. This includes a number of web based mobile phone dealers - e2save, mobiles.co.uk and onestopphoneshop. They have typically kept these brands alive as separate brands. If you go to their websites, it is not obvious that they are Carphone Warehouse unless you read the small print (although if you actually buy a contract from them, they then become open about it after you have signed up). The prices on these websites are usually better than those on Carphone's own branded website or in their store, so I have bought phone contracts that way. I haven't yet received an e-mail from them telling me that they have lost my data, but maybe I will.

What it seems is that Carphone have not fully (or possibly at all) integrated their customer records from all the businesses that they have bought. Probably their systems are a horrible ad-hoc mess of incompatible systems nastily stitched together. Security practices are probably inconsistent and of varying quality. They have therefore had some customer records compromised and not others, and they took three days figuring out precisely which.

2
0
Silver badge
Thumb Up

Re: Why 90,000 customers out of 2.5 million?

That'd explain why some records are encrypted and others aren't.

0
0
Silver badge

Another week...

...another million user records hack.

*sigh*

2
0

Re: Another week...

...and within the next week or so there'll be another article about how we all use/re-use bad passwords. As if that will make any difference. I try to make an effort with passwords for any site I give my credit card/personal details to, but clearly I might as all well use "password" for all the good it'll do.

2
0
Anonymous Coward

Why did they still have people bank details beyond the requirements of needing them?

Am I missing the point but having signed up to a contract last year (2 year contract) where the direct debit is set up and charged via the service provider (CPW work on commission) - why are they storing my details used at the point of initiating the contract that should no longer be needed?

If they did not have them (as no longer required) would that not limit everyone's risk? and doesn't the data protection act say something along the lines of not storing data beyond its requirement?

To top it off their resolution is solely to say email a sorry letter inferring the clients pick up the bill on time, effort and payment to other companies that may be incurred for their failure (minimum should be signing up those breached to on going free credit checks for a certain period of time).

6
0
Silver badge

Re: Why did they still have people bank details beyond the requirements of needing them?

But...

If they did not have them (as no longer required) would that not limit everyone's risk? and doesn't the data protection act say something along the lines of not storing data beyond its requirement?

The other bits of HMG that are not subject to that law (MI5/MI6/CGHQ etc) will demand that those records are kept for at least 10 years. Can't have the plebs laundering a few squid now can we eh? Gotta keep track of everyone just in case they start supporting IS etc etc etc

Then there is the Taxman (cometh). They are a whole different Kettle (EU Size approved naturally) of Fish.

So do you really want to be the person who deletes some possible vital (in the eyes of somene else) bit of data?

0
0
Gold badge

Re: Why did they still have people bank details beyond the requirements of needing them?

"The other bits of HMG that are not subject to that law (MI5/MI6/CGHQ etc) will demand that those records are kept for at least 10 years."

Simple solution: CW copy all the records that they no longer need onto a USB stick, delete the records from their own systems, and give the stick to the spooks. Any subsequent breaches of those records can be blamed on GCHQ.

But yeah, the spooks aren't actually *helping* the nation's IT security if they force commercial entities to retain records long after they have any value to the commercial entity that is paying for the storage.

1
0
Anonymous Coward

Amazing....

Someone from TalkTalkCare has admitted on Twitter that some of the passwords stolen were NOT encrypted... I mean really? How does that happen in 2015??

2
0
Silver badge

Re: Amazing....

passwords shouldn't have been reversible never mind encrypted.

1
0
Anonymous Coward

Here's the most astonishing part

See conversation, https://twitter.com/TalkTalkCare/status/630093277144948736 They are admitting that passwords were NOT encrypted!? This has to be a joke or someone on the help desk that doesn't know what they're talking about?

2
0
Silver badge

Re: Here's the most astonishing part

AFAICT this is TalkTalk helpdesk's response to their customers who signed up via Carphone Warehouse. So it's not difficult to envisage the situation that TT encrypt (?hash) customer passwords at their end but CW don't leading to a situation where only some TT customers, those from CW, have unencrypted passwords floating about and the rest don't.

Not being a customer of either I'm not sure about processes here but does this imply that the same password is being passed between the companies?

0
0

Utterly rubbish. Why should I have to pay for credit and security checks/alerts with people like Experian because Dixons Carphone can't be bothered to do security properly themselves?

I got the email about my credit card details being compromised as a Mobiles.co.uk customer even though I got a contract with o2 through them over 6 months ago and I pay o2 directly. Why have they held my card details??

Obviously cannot and should not be trusted.

3
0
Anonymous Coward

You shouldn't - if they were genuinely interested in their negligence and in showing good faith they would have already contacted the likes of Experian and negotiated a deal to cover all those to be able to check for a period of time (I vaguely remember Worcester City Council losing personal data and covering those impacted for 2 years along with enrolment into other monitoring schemes)

By the email advising they are limiting their liabilities, placing the onus on you whilst knowing only a few will run the gauntlet on the financial lose accrued in following their guidance due to their issue i.e. £90 x 1000 customers not giving up the blockers in pursuing financial loss is a lot less than 2.4 million customers x £5 (p.s. I am speculating this is how they will look at it - the £90 is 6 months Experian cover - the £5 is a complete guess but would be surprised if they could not get it below that).

0
0
FAIL

Crying out for a regulator with teeth

Some serious fines need to be made for firms to pull their fingers out of their backsides. The max 500K fine is a joke. Hopefully the proposed european data protection regs will go someway to deal with this.

6
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017