The personal data, including bank details, of millions of Carphone Warehouse customers may have been accessed in a “sophisticated cyber-attack”, the retailer has admitted.
The high street firm is investigating how hackers breached the IT systems of one of its UK divisions last week, an attack that also affected TalkTalk mobile customers.
In a statement on Saturday, Carphone Warehouse revealed that the personal details of as many as 2.4 million customers may have been accessed by the hackers, including names, addresses, date of birth information and bank details.
The credit card data of 90,000 customers “may also have been accessed”, the company said, although this was stored in an encrypted form.
Forensic experts from a firm specialising in cyber-attacks are investigating the breach, while Scotland Yard has been notified along with the Information Commissioner’s Office. “The firm is crawling all over our systems,” said a spokesman for Carphone Warehouse.
It is not known whether the National Crime Agency’s national cyber crime unit, which leads the UK’s response on the issue, is involved. Websites affected by the attack include OneStopPhoneShop.co.uk, e2save.com and Mobiles.co.uk, and Carphone Warehouse also provides services to TalkTalk Mobile, Talk Mobile, and to its own recently launched iD mobile network.
Sebastian James, chief executive of Dixons Carphone, said: “We take the security of customer data extremely seriously, and we are very sorry people have been affected by this attack. We are, of course, informing anyone that may have been affected, and have put in place additional security measures.”
Carphone Warehouse, which is owned by Dixons Carphone following last year’s £3.7bn merger, also incorporates Currys and PC World.
The retailer said the customer information of Currys and PC World, and “the vast majority” of Carphone Warehouse customer data, was held on separate systems and had not been affected.
Although the breach took place on Wednesday, the firm began contacting affected customers by email on Saturday, and said it had taken down affected websites as a precaution.
“We and our partners are contacting all those customers who may have been affected to inform them of the breach and to give them advice to reduce any risk and minimise inconvenience,” a statement said.
Customers who suspected they were a victim of fraud were told to contact Action Fraud, the UK’s national fraud and internet crime reporting centre.
Customers reacted angrily on Twitter to the news of the potential security breach.
CliffSull questioned how the company was reassuring customers. He tweeted: “This is the #Infosec department at #carphonewarehouse - sorry we can’t take your call right now - all of our agents are busy just now ...”
Meanwhile, Matthew Tomlinson wrote: “So @CPWTweets has a data breach on the 5th August yet doesn’t inform customers until the 8th. Why did it take 3 days?”
Jamie McConkey highlighted what he saw as a lack of information from the mobile phone provider. “Apparently crisis management means hiding in your bunker #CarphoneWarehouse”.
Defending Britain against cyber-attacks and repairing the damage done by hackers who penetrate security systems costs businesses £34bn a year, according to the Centre for Economics and Business Research. It found the problem was widespread, with 15% of businesses questioned saying they had lost revenue due to a cybersecurity breach.
Experts say that lost revenue is just one part of the problem, warning that loss of reputation or brand damage poses a serious threat to listed companies, with firms that suffer from security breaches often witnessing a fall in their share price. Others warn that, following a series of alarming hacks, a catastrophic attack is imminent.
The RBS banking group recently revealed it had suffered a cyber-attack on its online services that left customers struggling to log on as monthly pay cheques were arriving in accounts.
guardian.co.uk © Guardian News and Media Limited 2010