Carphone Warehouse Data Breach Affects 2.4m

British mobile phone retailer Carphone Warehouse (CPW) has written to 2.4m customers to advise them of the consequences of a data breach. The letter states that CPW discovered the cyber attack on 5th August, and that it was targeted at three of their online businesses. Personal data was compromised, including names, addresses, bank and credit card details.

The affected websites are onestopphoneshop.com, e2save.com, and mobiles.co.uk. At time of writing, it appears that all these sites have been taken down.

Carphone Warehouse merged with electrical retailer Dixons last year, in a deal worth GBP3.8bn (USD5.4bn). They operate over 3,000 stores and have combined sales worth over GBP10bn (USD15bn). However, they do not believe that the data of any other customers has been accessed.

Sebastian James, Chief Executive of Dixons Carphone, issued the usual post-breach apologies to the media. It becomes increasingly hard to understand why executives bother to mitigate the reputation damage for this kind of repeated failure. Surely everybody now believes that every business is irresponsible with data. The usual stock phrases were offered by James, including: ‘we have put in place additional security measures’, and ‘we take security extremely seriously’, and ‘we are very sorry’. Cyber attacks on business are increasingly common, and increasingly prominent. If they keep happening to businesses that take security ‘extremely’ seriously, the only sensible riposte is that businesses should stop being so complacent and start taking security ‘extremely extremely’ seriously.

Like many other businesses who found themselves in a similar situation, Dixons Carphone are so very sorry that if you happen to be a worried customer, you will learn literally nothing about the breach by visiting any of the corporation’s websites or social media accounts. To find out what happened, you need to go to a news outlet instead; I struggle to understand how this will improve confidence in a tarnished supplier. And if you were one of the people who suffered a loss because your credit card details had been compromised, you might wonder why it took several days to be informed of the breach.

This is the second time this year that a company chaired by Charles Dunstone, founder of Carphone Warehouse, has revealed it was hacked for personal data. TalkTalk, the communications provider, admitted it suffered a data breach which led customers to be plagued by scams. TalkTalk started in 2003 as a subsidiary of Carphone Warehouse, and was demerged in 2010.

Ho hum… another breach in the world of big business, and more platitudes spouted by a CEO who is indifferent to the distress caused to customers because of his organization’s failure to implement adequate security. The sad truth is that this is barely a news story any more. We are approaching the point where it is not necessary to write a separate post for every major data breach. We could write the same text for every breach and leave it permanently on the front page of Commsrisk, just occasionally changing the name of the business and the number of innocent individuals who have suffered as a result.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.