Dixons Carphone breach puts security back on the agenda

Those in the security channel looking for an illustration of the damage to a brand that a data breach can cause have just been handed a fresh example

When US retailer Target was the victim of a cyber attack that exposed the data of customers it became one of the most quoted examples by the security industry of what the consequences of a breach can be.

It ticked a lot of the boxes because not only did it show the dangers of what could happen when the layers of protection have gaps but it also caused significant brand damage, which is a major concern for retailers.

However there was one thing missing with the Target story that meant that when it was used in a sales pitch here it often failed to have as much impact. Because it happened on the other side of the Atlantic it felt as if it was someone else's problem.

Now the security industry has an example that is much closer to home and you can bet that the Dixons Carphone data breach will be talked about in the security channel for a lot longer than just this August.

A potential 2.4m customers could have had personal information, including credit card details, addresses and data of birth, accessed as part of the cyber attack.

The retailer found out about it last wednesday and took immediate action but has come in for criticism for only revealing it publicly over the weekend.

"We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems," said Dixons Carphone chief executive Sebastian James.

"We are, of course, informing anyone who may have been affected, and have put in place additional security measures," he added.

The security industry has been quick to react to the latest high profile data breach and many have commented on the fallout that could follow on as a consequence of so much personal information being accessed by criminals.

“Data from this breach may well be used in an attempt to directly log into other financially related systems as some people still fail to have unique passwords for different online accounts. This data may also be used in targeted phishing attacks to get more useful data that could also be used for identify theft or other malicious purposes," warned Mark James, security specialist at ESET.

Even though Dixons Carphone had encrypted around 90,000 credit card numbers the criminals might have gained enough information to do serious damage.

"How can someone even bother to mention 90,000 credit card numbers (which seem to be encrypted) when 2.4m records that include bank account numbers as well as personal details have been stolen. Credit card numbers are replaced in a jiffy. Bank accounts are a mess to replace and no one would change their phone number of address as a consequence of a breach. So basically attackers now have “immutable” information about millions of individuals. This is something to worry about," said Amichai Shulman, CTO of Imperva.

One of the positives that might come out of this latest breach is that other CEOs reading about the troubles at the tech and telecoms retailer will take a bit more responsibility for what is happening in their own organisations.

The Dixons Carphone attack

On August 5th Dixons Carphone discovered that it had been the victim of a "sophiticated cyber attack" and  the division that operated the websites OneStopPhoneShop.com, e2save.com and Mobiles.co.uk and provides a number of services to iD Mobile, TalkTalk Mobile, Talk Mobile, and to certain customers of Carphone Warehouse had been impacted.

the retaile's investigations revealed that personal data, which may include name, address, date of birth and bank details of up to 2.4m customers might have been accessed. Encrypted credit card data of up to 90,000 customers might also have been accessed. Those custerms affected by the latest incident are being informed.

Data for PC World and Currys customers, and the majority of Carphone Warehouse customer information was held on a seperate system and was not accessed in this incident.

With many security resellers already benfiting from the way security has become more of a boardroom issue this latest example will only aid that process.

Philip Lieberman, CEO of Lieberman Software, hoped that more senior managers would now step up and show leadership around IT security.

"The CEO’s role today must be as the commander and chief of cyber-defense, rather than simply complying with the minimal requirements of auditors.  The CEO should consider a review of their existing security technologies and processes in place to minimize these losses in the future," he said.
"Many companies are being hit with these types of attacks and only the CEO can provide the leadership and investments necessary to mitigate these types of bad outcomes.  We would strongly suggest that the CEO and Board of Directors re-evaluate their security vendor choices and internal processes going forward," he added.

Read more on Data Protection Services