Slashdot Mirror

← Back to Stories (view on slashdot.org)

2.4 Million Customer's Records Stolen From Carphone Warehouse

Posted by timothy on from the maybe-they-were-just-borrowed dept.

AmiMoJo writes: The UK's data watchdog is "making inquiries" after Carphone Warehouse said the personal details of up to 2.4 million of its customers may have been accessed in a cyber-attack. Details taken include names, addresses and bank account details. Additionally, 90,000 people's "encrypted" credit card details were accessed, but there is no word on what type of encryption was used. Customers are advised to contact their banks (who I'm sure will be ready to handle 2.4 million phone calls), keep an eye on credit records and contact Action Fraud, the UK police's outsourced and rather useless fraud reporting centre that last month went bankrupt.

51 comments

  1. The worst part about this breach by Anonymous Coward · · Score: 0

    Is we learned that 2.4 million people in the UK still use car phones.

    1. Re:The worst part about this breach by umghhh · · Score: 1

      They should not be doing this because?

    2. Re:The worst part about this breach by amalcolm · · Score: 1

      Its just a brand name .. they sell mobile phones. They kept the name because apparently it hasd brand value

      --
      Time for bed, said Zebedee - boing
    3. Re:The worst part about this breach by nitehawk214 · · Score: 2, Funny

      Its just a brand name .. they sell mobile phones. They kept the name because apparently it hasd brand value

      Brand value? So they are also idiots in marketing as well as security.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
  2. At Least... by sycodon · · Score: 2

    ...it's not something Paul Potts has to worry about.

    --
    When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
    1. Re:At Least... by Anonymous Coward · · Score: 0

      That is still just as amazing now as then!

  3. ROT-13, twice by John+Bokma · · Score: 4, Funny

    "Additionally, 90,000 people's "encrypted" credit card details were accessed, but there is no word on what type of encryption was used" Wouldn't surprise me if it was ROT-13, applied twice for twice the security :-(.

    --

    Perl Programmer for hire
    1. Re:ROT-13, twice by Anonymous Coward · · Score: 0

      Cant tell how funny you are... because ROT-13 doesnt do anything to numbers... only letters.

    2. Re:ROT-13, twice by Anonymous Coward · · Score: 0

      Nope. It was just flat ROT-0, applied nonce, so no encryption whatsoever as per standard operating procedure.

      This company deserves to sink into a pit and die, along with all its employees and CEO. These people need to free up some space in the gene pool for actual thinking human beings that give two shits about their fellow human beings.

    3. Re:ROT-13, twice by Anonymous Coward · · Score: 0

      You can have access to encrypted data, but it's near useless unless you know the salts and hashes used. Merely obtaining decrypted data doesn't mean you know what it is. Durrr.

      You're probably been waiting to use that pathetic joke. Oh, you are a witty one. Ho ho, my sides, my sides.

    4. Re:ROT-13, twice by Anonymous Coward · · Score: 0

      If you're going to be "that random asshole on the internet", at least try to make your first point coherent.

    5. Re:ROT-13, twice by AmiMoJo · · Score: 1

      I like the way their attitude is "sorry, now sort it out yourself LOL". They should contact affected people's banks and either set up their own fraud reporting service or donate some serious cash to Action Fraud. Hopefully the ICO will give them a punishing fine for this.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:ROT-13, twice by houghi · · Score: 2, Interesting

      Not sure if they even are allowed to give any information to the banks. There are serious restrictions on what can and what can not be done due to privacy laws in Europe.

      I know that where I am, we would NOT be allowed to inform the banks of our customers doing, besides; well, nothing.
      We could send a general message to them, but that is where it stops and I assume that has been done.

      And the bank can not take action because of a third part who says something. Also due to privacy reasons.

      Otherwise any disgrunteld person could call and say whatever about my account. So even though it sounds stupid that people must solve this themseves, it is not.

      What might even happen is that they send the info of the breach to the bank and then the bank can contact the customer, if they want to. However the official stand would ALWAYS be "have an issue with you bank? Contact your bank." In no way can one company take action in name of another.

      And what about the saved Credit Card information? This is most likely due to the fact that people want to have their monthly payments done by Credit Card.

      --
      Don't fight for your country, if your country does not fight for you.
    7. Re:ROT-13, twice by Anonymous Coward · · Score: 0

      It would never happen in Japan, and if it did the CEO of the company would be so ashamed that he'd commit harikrishna.

    8. Re:ROT-13, twice by behrooz0az · · Score: 1

      I think Harakiri/Sepukku is what you mean because Harakrishna is an Indian name.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
    9. Re:ROT-13, twice by tompaulco · · Score: 1

      There are serious restrictions on what can and what can not be done due to privacy laws in Europe.

      For example, is it illegal to store a credit card number, even if encrypted? It ought to be.
      In the United States, if you take all the precautions required under PCI, you can store the credit card, but it is far safer to only send the credit card number to the processor once and receive a token back which is a hash associated with the card AND with your merchant account so even if stolen and somehow used, it cannot be used for the benefit of the thief.

      --
      If you are not allowed to question your government then the government has answered your question.
    10. Re:ROT-13, twice by omnichad · · Score: 1

      Is that the code where 1 becomes K, 2 becomes L and so on?

  4. Carphone? by Anonymous Coward · · Score: 0

    Did I just step back into 1995?

    1. Re:Carphone? by AmiMoJo · · Score: 2

      It's an old name, they don't actually see carphones any more, only normal mobile phones (and some really shitty hands-free kits for your car). They actually had the good sense to keep their name, despite it being outdated.

      Brand management idiots will often recommend rebranded, but it's almost always suicide. Coco-Pops became something forgettable and then had to change back. Royal Mail became Consignia and then had to change back. People recognize Carphone Warehouse now, despite it not selling carphones or being a warehouse.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Carphone? by Anonymous Coward · · Score: 1

      Actually, they merged with Dixons, and changed their name to Dixons Carphone, which is utterly retarded. They changed their name, AND held onto the half which has been completely redundant for at least 10 years...

    3. Re:Carphone? by JaredOfEuropa · · Score: 1

      Dixons Warehouse would have made even less sense.

      Carphone warehouse is a nice, sensible (and yes: somewhat outdated) name. These days a lot of companies seem to go for utterly forgettable faux Latin names, or they take regular words but spell them slightly different, preferably using Qs and Zs. Ugh. Makes me long for the day when founders of a company would often just stick their own names on the door. A recent example: Andrews and Arnold Ltd, an ISP in the UK. Goes against every modern branding guideline, but these days I consider that a plus.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    4. Re:Carphone? by Godwin+O'Hitler · · Score: 1

      In their international operation, Carphone Warehouse becomes just "The Phone House". And it has been so for over 15 years.
      So I guess if the UK operation is still called Carphone Warehouse, they must still be in love with it.
      I don't personally see the advantage in passing through a middleman. Same phones, same operators, same contract.

      --
      No, your children are not the special ones. Nor are your pets.
    5. Re:Carphone? by Viol8 · · Score: 1

      "I don't personally see the advantage in passing through a middleman."

      Getting a choice of different operators and phones all in one shop is the advantage.

    6. Re:Carphone? by alex67500 · · Score: 1

      They usually end up pushing customers to the provider that gives them the best kick-back at the time, so no quite so independant...

    7. Re:Carphone? by badzilla · · Score: 1

      It has also done well at retaining its colloquial name which is Crap-phone Whorehouse.

      --
      "Don't belong. Never join. Think for yourself. Peace." V.Stone, Microsoft Corporation
    8. Re:Carphone? by Xiaran · · Score: 2

      You forgot the geek one. Borland -> Inspire. One of the most recognised names in the software industry and they change it to one of the worst.

    9. Re:Carphone? by operagost · · Score: 1

      They should sell every smartphone velcro-ed into a little bag with one of these packed in:

      http://www.nativeunion.com/us/...

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
    10. Re:Carphone? by AmiMoJo · · Score: 1

      HP -> Agilent -> Keyshite.

      Agilent was okay I guess, but Keysight is terrible.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    11. Re:Carphone? by geekmux · · Score: 1

      It's an old name, they don't actually see carphones any more, only normal mobile phones (and some really shitty hands-free kits for your car). They actually had the good sense to keep their name, despite it being outdated.

      Brand management idiots will often recommend rebranded, but it's almost always suicide. Coco-Pops became something forgettable and then had to change back. Royal Mail became Consignia and then had to change back. People recognize Carphone Warehouse now, despite it not selling carphones or being a warehouse.

      Recognize them? Oh yeah, I remember them now! They're just down the street from Bobs Buggy Whip Emporium.

      As much as you want to spread the bullshit here, there are valid reasons to change company names. This would be a textbook example of one, as the only reason people remember them today is because they've reduced themselves to a punch line as twentysomethings turn to Urban Dictionary to figure out what the fuck a car phone is, and why Apple doesn't make one today in 17 colors.

    12. Re:Carphone? by Anonymous Coward · · Score: 0

      I was hoping for Carhouse Dixphone but was sadly disappointed.

  5. I'm from England by Anonymous Coward · · Score: 1

    My face when an American called a touchy-wuchy mobile-carphone an "iPhone" near me.

  6. Unsurprising by uberjack · · Score: 1

    It's what you get when you hire the likes of Darren Lamb.

  7. Where were the keys stored? by SwashbucklingCowboy · · Score: 1

    Doesn't matter if they were encrypted if they decryption key(s) were also stolen...

    1. Re:Where were the keys stored? by invictusvoyd · · Score: 1

      One spare key was beneath the doormat . Just in case.

    2. Re:Where were the keys stored? by Anonymous Coward · · Score: 0

      One spare key was beneath the doormat . Just in case.

      You mean like with Windows 10 and Bitlocker?

  8. security breach fatigue by k6mfw · · Score: 1

    It seems every day there's some breach where millions of people are affected. It seems like same ol' same ol'... like traffic accidents typically not reported.

    --
    mfwright@batnet.com
    1. Re:security breach fatigue by Anonymous Coward · · Score: 0

      Companies do two things:

      1- Hoard as much information as possible, personal or payment.
      2- Think they can secure this information. *

      * "Think" because they may not have the savviness to do it, or maybe it simply can't be done anyway.

      Essentially, they hoard information that they cannot protect and they need to be held financially and criminally accountable for this every time there is a leak. Let's send that idea to Trump so that he can soapbox it! The other turds surely won't (well maybe Rand).

    2. Re:security breach fatigue by Anonymous Coward · · Score: 0

      They don't think. They just pretend and "la-la-la" their way through the rest of the problem space.

      In any sane world they'd never be granted license to do business with an attitude like that.

    3. Re:security breach fatigue by umghhh · · Score: 1

      He is a simpleton enough to actually do it, me thinks. I also find it amusing that he has some societal uses after all. Seems everybody can do some good.

    4. Re:security breach fatigue by Anonymous Coward · · Score: 0

      They don't think

      Other symptoms of not thinking: making wild suppositions, treating them as fact, and then drawing conclusions.

      Ironic.

      BTW you don't need a "license" to run a business in the UK. Anyone can do so provided they have not previously been barred from becoming a company director.

    5. Re:security breach fatigue by guruevi · · Score: 1

      Because people treat these companies as victims to the crimes, not accessories to the crime or criminally negligent. If anyone in politics/policing would actually know anything about cybercrime, they would charge them as either accessories or negligent.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
  9. Re:Property Hubs : Interior decorators kolkata by Anonymous Coward · · Score: 0

    On Slashdot? seriously ? .. You need to find yourself something else to do for a living man.

  10. Re:Property Hubs : Interior decorators kolkata by Anonymous Coward · · Score: 1

    Thank you for spamming your business URL in reply to a web site breach article on a site where literally millions of people are seeking a target. I was very bored, sitting here in my office with the windows painted black, wondering where I should focus my attention. And it seems you offer low hanging fruit. Port 135 and 1433 exposed? Really?

    Domain: propertyhubs.com
    IP: 100.42.56.20
    stats.cascara.arvixe.com (100.42.56.20)
    NetName: ARVIXE-NETWORK-1
    City: Santa Rosa
    StateProv: CA
    OrgAbuseEmail: abuse@arvixe.com

    Registrar: NAME.COM, INC.
    Admin Name: Pranav Agarwal
    Admin Organization: Capra Global Soluions
    Admin Email: pranav1andonly@gmail.com
    Tech Name: Pranav Agarwal
    Tech Organization: Capra Global Solutions
    Tech Street: p-286 phool bagan cit road , scheme-4m
    Tech City: kolkata
    Tech State/Province: west bengal
    Tech Postal Code: 700054
    Tech Country: IN
    Tech Phone: +91.9007428428
    Registrar Abuse Contact Email: abuse@name.com

    PORT STATE SERVICE VERSION
    21/tcp open ftp FileZilla ftpd
    25/tcp open smtp hMailServer smtpd
    26/tcp open smtp
    53/tcp open domain ISC BIND 9.9.4-P1
    80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
    110/tcp open pop3
    135/tcp open msrpc Microsoft Windows RPC
    143/tcp open imap
    443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
    445/tcp open netbios-ssn
    465/tcp open ssl/smtp hMailServer smtpd
    587/tcp open smtp hMailServer smtpd
    990/tcp open ssl/ftp
    993/tcp open ssl/imap
    995/tcp open ssl/pop3
    1433/tcp open ms-sql-s Microsoft SQL Server 2012
    3306/tcp open mysql MySQL 5.6.24
    5666/tcp open tcpwrapped
    49153/tcp open unknown
    49154/tcp open unknown

  11. Re:Property Hubs : Interior decorators kolkata by Anonymous Coward · · Score: 1

    Could be someone posting someone ELSE'S url ...

  12. Re: You mean like Toshiba? by Anonymous Coward · · Score: 0

    http://mobile.nytimes.com/2015/07/22/business/international/toshiba-chief-and-7-others-resign-in-accounting-scandal.html?referrer=

  13. Need more lawsuits. by Anonymous Coward · · Score: 0

    What the car warehouse needs now is 2.4 million lawsuits to deal with.

  14. Make management personally liable by Anonymous Coward · · Score: 0

    What needs to happen is that the senior management (C-level types) need to be help personally liable for these data breaches. Until that happens, they will not take security of customers personal data seriously.