Carphone Warehouse data breach: Industry pros pull no punches

News broke over the weekend that Carphone Warehouse has been the latest victim of a major data breach where hackers gained access to the personal information of 2.4 million customers.

In light of this latest high-profile security nightmare, industry professionals have been quick to offer their assessments.

Mike Spykerman, VP at OPSWAT

"The reality is that data breaches are no longer a question of if, but when. At least some of the information at Carphone Warehouse was encrypted, but still a lot of personal data was not.

"Data breaches often start with a spear phishing attack that evades detection from regular spam filters and single anti-virus engines. By using multiple anti-virus engines, the possibility that a spear phishing attack is detected is considerably higher.

"To avoid cyber attacks being successful, companies should prepare their defences by deploying several cyber security layers including device monitoring and management, scanning with multiple anti-malware engines, and advanced threat protection."

Jason du Preez, CEO of Privitar:

“This data breach is yet another high-profile reminder that it is impossible for companies to protect their customer’s data with traditional perimeter security.

"Building more secure systems is vital, but cyber security is a cat and mouse game. Every time better security systems are built, hackers step up their game and find new ways to beat them. Even the most secure systems can become vulnerable, which is why taking a data-centric approach to security is essential. By making the data worthless to a hacker, you remove the incentive altogether.

"Companies need to embrace the irrefutable fact that the way they manage and process data will have a direct impact on brand and customer loyalty. Embracing a data-centric approach to security and a process that ensures no sensitive data is visible in any given process – privacy-by-default – will enable organisations to confidently use consumer’s precious data safely.

"Most organisations have entirely valid reasons for wanting customer data. It allows them to provide the personalised, relevant product and services consumers demand. But there’s no reason, from a technical point of view, even financial data can’t be anonymised to protect both the individual and the organisation itself.”

Phil Barnett, EMEA VP and GM of Good Technology:

“Many companies are still flying blind when it comes to security, because 60 per cent think it doesn’t affect them. The truth is that it's not just a conversation for banks or governments anymore - anyone and everyone is a potential victim of hacks and data leaks.

"Data is a company's biggest asset, but many organisations haven't yet got to grips with how to protect it in the new world order of mobile devices and cloud-based access. The security challenge won't go away and companies need to change their mindset in order to solve it."

Keith Poyser, GM EMEA at Accellion:

"While the details of the recent Carphone Warehouse security breach are still materialising, it nevertheless reinforces the fact that enterprises need to take cyber security and data leak prevention more seriously.

"This is a technology issue, training issue, process issue, corporate governance issue and on and on. To mitigate the risk of a breach, cyber security ultimately has to become a part of an enterprise’s culture and it must touch every segment of that enterprise. The good news is there are a number of steps organisations can take to lessen the chances of a cyber attack."

Klaus Gheri, VP and GM of Network Security at Barracuda Networks:

"This latest breach shows that most organisations are not doing enough to keep data safe. More than ever, security needs to be intelligent, scalable, and always available wherever end users happen to work, be it in the workplace, on a laptop or mobile device.

"With email addresses compromised as a result of the Carphone Warehouse breach, organisations and individuals must stay vigilant to the potential for spear phishing attacks. Having access to the email addresses could allow the hackers to build a detailed profile of their target and create a very specific attack. After building the profile the attack is likely to come from a 'trusted source' and this makes the chances of a successful attack considerably higher.

"As well as putting security systems in place, businesses, employees and consumers alike need to remain vigilant and question any unexpected email, with an attachment that arrives in their inbox."

David Emm, Principal Security Researcher at Kaspersky Lab:

"The fact that 2.4 million people’s personal details have been compromised will undoubtedly be a huge cause of concern for customers; and it’s hardly surprising that many have publicly expressed their dismay at the fact that it took Carphone Warehouse so long to notify them of the breach. Presumably it took Carphone Warehouse time to quantify the extent of the breach and assess its impact before taking steps to notify customers.

"Carphone Warehouse has said that it has contacted all those affected. However, I would recommend that all Carphone Warehouse customers take the opportunity to change their passwords - including changing them on any other sites where they have used the same password (it’s never a good idea to re-use the same password across multiple accounts). They should also be cautious about any e-mails they receive. The hackers behind the attack may already have been able to formulate phishing emails, so consumers must think carefully about whether the emails they receive are legitimate.

"I would caution against clicking links in e-mails – it’s always better to type the website address manually, to avoid the risk of being redirected to a phishing site. Finally, they should keep a close check on bank accounts and report any suspicious activity to the bank and to Action Fraud."

Luke Brown, Vice President & GM, EMEA, India & Latam at Digital Guardian: 

“2.4 million is a big number. When this is how many customers have been affected by a data breach, you’ve got to take a good hard look at existing security measures and question if they are even remotely adequate for the task at hand. Carphone Warehouse claims 'only' 90,000 sets of credit card details were accessed. But while a credit card can be cancelled (at much inconvenience to the cardholders affected), it’s a lot more difficult to change a name, address or date of birth. Sadly this is the issue facing the full 2.4 million customers whose personal details are now in the hands of criminals likely to use this information for phishing and fraudulent activities.

"With the implementation of the General Data Protection Regulation on the horizon and potentially ruinous fines levied against this kind of breach in the near future, businesses need to wake up to the fact that a more date-centric approach to security is the only way to effectively protect against this kind of breach in the future.

"The days of perimeter based security are numbered and with trust being the most important factor in any customer/business relationship, why wait until it has been irreparably damaged before switching to a data security protocol that is able to protect against the security threats of today, not yesterday."