Carphone Warehouse, a mobile device retail brand based in the United Kingdom that also includes a number of e-commerce sites, reported earlier this month that it had discovered a major vulnerability in its IT system that led to the loss of information on about 2.4 million customers.
On Aug. 5, the company discovered that its systems had been breached by what it has described as "a sophisticated cyber-attack." Carphone Warehouse brands TalkTalk Mobile, iD Mobile, Talk Mobile, OneStopPhoneShop.com, e2save.com and Mobiles.co.uk were affected by the breach, but pcworld.co.uk and currys.co.uk were not.
Carphone Warehouse reported that the personally-identifying information – which includes bank details, addresses, names and dates of birth – of around 2.4 million people was leaked in the incident. An additional 90,000 customers had their credit card data breached, but that was encrypted. The news of the breach was made public on Aug. 8.
"This attack was a sophisticated one and is part of the reality of the modern world. Our priority is reducing risk and inconvenience for customers and continuing to build ever stronger defenses," the company said in a statement. The business added, "We took immediate action to secure these systems and launched an investigation with a leading cyber security firm to determine exactly what data was affected. We have also put in place additional security measures to prevent further attacks."
What will the fallout be for the organization?
While Carphone Warehouse was able to quickly detect the issue and take steps to address it right away, the company nevertheless will likely have to deal with bad press and high recovery costs in the weeks and months ahead. According to the Ponemon Institute, the average data breach costs a company around $3.8 million. This is up from what it was in previous years, and this figure will likely keep rising in the future.
"Based on our field research, we identified three major reasons why the cost keeps climbing," said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. "First, cyber attacks are increasing both in frequency and the cost it requires to resolve these security incidents. Second, the financial consequences of losing customers in the aftermath of a breach are having a greater impact on the cost. Third, more companies are incurring higher costs in their forensic and investigative activities, assessments and crisis team management."
In addition, the BBC reported that many customers are upset at Carphone Warehouse because of the breach. This reputational damage could be quite devastating down the road, as a March 2014 survey from Semafone found that around 86 percent of those polled said they were unlikely to do business with a company that had credit and/or debit card information leaked from its network.
"I am extremely upset as well as worried and scared," said one Carphone Warehouse customer, identified only as Kerri from Petersfield, according to the BBC. "Firms like Carphone Warehouse need to be held accountable for security breaches."
Main lessons that can be learned from this breach
One mistake many organizations make is that they rely too heavily on encryption to protect themselves, thinking that if data is encrypted it won't be targeted by hackers. As this intrusion shows, that is definitely not the case. While encrypting all data is definitely a good idea – if Carphone Warehouse had encrypted all of its data then perhaps the fallout from this data leak would be less severe – it is not a panacea.
Still, that Carphone Warehouse was able to so quickly spot the anomalous behavior is good, as this is perhaps one of the best things companies can do today in regard to data breaches and cybercrime. In comparison, many organization need a lot more time to find such issues. A 2014 study found that 43 percent of Web application-based attacks took months to discover, and 85 percent of leaks related to point-of-sale systems took weeks to be brought to light.
Preventative measures like anti-virus software and firewalls no longer cut it, as hackers know how to bypass these defenses. Instead, organizations should adopt detection and response managed services. That way, irregular actions can be spotted in near real-time, allowing an organization to quickly take action should something be spotted by a managed SIEM provider.
Cybersecurity news and analysis brought to you by Arctic Wolf, leading providers of detection and response security services. DRMS, when your firewall fails.