Cyber attacks are now inevitable and retailers should have do more to prevent customer details being seen by criminals
Online security experts say the industry as a whole should do more more to protect customer data, after 2.4 million Carphone Warehouse customers had their details accessed in a cyber attack last week.
Dixon’s Carphone, the JV parent of Carphone Warehouse, confirmed that up to 2.4 million customers’ addresses, bank details and dates of birth are feared to have been stolen in the attack and is now reviewing its security.
Customers who connected through Carphone Warehouse’s ecommerce brands; e2save, OneStopPhoneShop and Mobiles.co.uk, may have been stolen. Personal details of those who connect directly through the Carphone Warehouse store and the website are understood not to have been stolen.
OPSWAT, who specialises in security software for both businesses and consumers told Mobile News firms like Carphone Warehouse must act to ensure all data is encrypted – to ensure any information seen by criminals is scrambled.
The firms vice president of product management Mike Spykerman, who has over 13 years of experience in email security solutions said such a measure would have eliminated any concern for the firm and its customers.
“No longer a question of if, but when”
“The reality is that data breaches are no longer a question of if, but when,” said Spykerman. “At least some of the information at Carphone Warehouse was encrypted, but still a lot of personal data was not. Data breaches often start with a spear phishing attack that evades detection from regular spam filters and single anti-virus engines.”
Spear phishing is an attack where cyber criminals send emails appearing to be from a trusted individual or company. These emails take advantage of a recipient’s trust to steal personal information, including bank account details or passwords.
Lieberman Software Corporation, which specialises in protecting its customers from cyber attacks also reacted to the news. The company’s commander-in-chief Philip Lieberman, who has over 35 years of experience in the software industry, said the attack highlights why Carphone CEO Andrew Harrison needs to re-evaluate the company’s security measures.
“The CEO’s role today must be as the command and chief of cyber-defense, rather than simply complying with the minimal requirements of auditors. The CEO should consider a review of their existing security technologies and processes in place to minimise these losses in the future.”
Good Technology specialises in mobile security and believes the attack provides a wake up call to the industry over the real dangers of cyber attacks. The firms general manager Phil Barnett, formerly of BT, argues that many companies still haven’t fully grasped how to protect their customers’ personal data.
“Data is a company’s biggest asset, but many organisations haven’t yet got to grips with how to protect it in the new world order of mobile devices and cloud-based access. The security challenge won’t go away and companies need to change their mindset in order to solve it.”
Imperva, who offers businesses protection against cyber attacks. Its CTO Amichai Shulman, who has previously served in the Israel Defence Forces, argues that the information potentially available to hackers is worrying. “I do think that this is a good example of how media and “normal” people sometimes overlook what attackers are extremely fast to understand. Credit card numbers are replaced in a jiffy. Bank accounts are a mess to replace and no one would change their phone number of address as a consequence of a breach. So basically attackers now have “immutable” information about millions of individuals. This is something to worry about.”
Kaspersky, who specialises in internet security and anti-virus software has also issued warnings. Kaspersky principle security researcher David Emm, who has worked in the anti-virus industry since 1990, said: “Carphone Warehouse has said that it has contacted all those affected. However, I would recommend that all Carphone Warehouse customers take the opportunity to change their passwords – including changing them on any other sites where they have used the same password.”
“They should also be cautious about any e-mails they receive. The hackers behind the attack may already have been able to formulate phishing emails, so consumers must think carefully about whether the emails they receive are legitimate. I would caution against clicking links in e-mails – it’s always better to type the website address manually, to avoid the risk of being redirected to a phishing site.”