The U.K. Information Commissioner’s Office (ICO) says it’s investigating a recent breach at British phone retailer Carphone Warehouse, which may have exposed as many as 2.4 million customers’ names, addresses, birthdates and bank information, along with up to 90,000 customers’ encrypted credit card data.
Customers of Carphone Warehouse may be affected, along with customers of OneStopPhoneShop.com, e2save.com, Mobiles.co.uk, iD Mobile, TalkTalk Mobile and Talk Mobile — The Guardian reports that approximately 480,000 of those affected are TalkTalk Mobile customers, and 1.9 million are direct customers of Carphone Warehouse.
“We have been made aware of this incident at the Carphone Warehouse and are making enquiries,” an ICO spokesperson said in a statement. “Any time personal data is lost there can be a risk of identity theft. There are measures you can take to guard against identity theft, for instance being vigilant around items on your credit card statements or checking your credit ratings.”
Carphone Warehouse says the breach was discovered on August 5, 2015 and disclosed on August 8, 2015. “We took immediate action to secure these systems and launched an investigation with a leading cyber security firm to determine exactly what data was affected,” the company said in a statement. “We have also put in place additional security measures to prevent further attacks.”
Tim Erlin, director of IT security and risk strategy at Tripwire, told eSecurity Planet by email that it’s worth noting that the breach was discovered internally by Carphone Warehouse and was disclosed within days of its discovery. “That’s an improvement over breaches that were discovered through credit card fraud and kept undisclosed for longer periods of time,” he said.
And Phil Barnett, vice president and general manager, EMEA at Good Technology, said by email that many companies are flying blind when it comes to security, because they still think it doesn’t affect them. “The truth is that it’s not just a conversation for banks or governments anymore — anyone and everyone is a potential victim of hacks and data leaks,” he said.
“Data is a company’s biggest asset, but many organizations haven’t yet got to grips with how to protect it in the new world order of mobile devices and cloud-based access,” Barnett added. “The security challenge won’t go away, and companies need to change their mindset in order to solve it.”
A recent eSecurity Planet article offered advice on improving database security.