Carphone Warehouse has been hacked and the personal details of 2.4 million customers may have been accessed. Up to 90,000 customers may also have had their encrypted credit card details accessed. Security Experts from Lieberman Software, Imperva and ESET provide insight and tips for affected customers.
Philip Lieberman, CEO of Lieberman Software :
“This is an excellent example of where the CEO of the company now needs to step in and evaluate whether his leadership of his information technology department yielded what he and his board of directors view as an acceptable loss.
The CEO’s role today must be as the commander and chief of cyber-defense, rather than simply complying with the minimal requirements of auditors. The CEO should consider a review of their existing security technologies and processes in place to minimize these losses in the future.
Many companies are being hit with these types of attacks and only the CEO can provide the leadership and investments necessary to mitigate these types of bad outcomes. We would strongly suggest that the CEO and Board of Directors re-evaluate their security vendor choices and internal processes going forward.
As we can all see, perimeter protections failed and leadership needs to come to a hard realization that their interior protections were inadequate for today’s modern attacks. Appropriate privileged identity management (PIM) solutions coupled with hygienic automated management of identities might have reduced this intrusion to a non-event.
Better solutions and processes exist that would have mitigated these types of losses, but perhaps leadership was listening to the wrong advisors on technology and cyber-defense. These types of attacks should be anticipated and proper processes should be in place to minimize their consequences so as to not affect most customers.”
Amichai Shulman, CTO of Imperva :
“I think that this is a good example of how media and “normal” people sometimes overlook what attackers are extremely fast to understand. How can someone mention 90,000 credit card numbers (which seem to be encrypted) when 2.4 Million records that include bank account numbers as well as personal details have been stolen. Credit card numbers are replaced in a jiffy. Bank accounts are a mess to replace and no one would change their phone number or address as a consequence of a breach. So basically attackers now have “immutable” information about millions of individuals. This is something to worry about.”
Mark James, Security Specialist at IT Security Firm ESET:
What are the risks for customers?
“Data from this breach may well be used in an attempt to directly log into other financially related systems as some people still fail to have unique passwords for different online accounts. This data may also be used in targeted phishing attacks to get more useful data that could also be used for identify theft or other malicious purposes. We all know how to handle that random caller or email that tries to scam us with a half-hearted attempt at gaining our trust but if they are armed with some kind of information that is true along with some knowledge of our explicit data ( names, addresses) that trust could be the stepping stone to a successful scam being completed.”
Is it likely that the number of people found to be affected will go up?
“Yes almost certainly, data will be circulated and used elsewhere for ongoing spam or malware campaigns, all data has a value and we need to understand that any information can be used for malicious reasons.”
Tips for what customers should do?
“Be vigilant against people calling or emailing with sporadic bits of information in an attempt to gain more data about you. Change your passwords NOW, also remember that you can use different bits of information when filling out forms or applying for web page access. You don’t need to tell the truth about your favourite colour or your first dog’s name. Speak to your bank or financial organisation so they are aware and if still concerned sign up for a reputable credit checking organisation to keep an eye on your credit activity. Lastly keep an eye on your bank statements especially small sporadic payments that are classed as “under the radar” that sometimes can be used to test your bank details.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.