ICO investigates Carphone Warehouse hack, issue of compensation still up in the air

As you may have seen yesterday, Carphone Warehouse has been hit by a major hacking incident, and the Information Commissioner's office is now looking into the matter.

The personal details (including emails, addresses, and bank details) of up to 2.4 million customers have potentially been stolen by the hackers, with encrypted credit card details of up to 90,000 customers also pilfered.

When we say Carphone Warehouse customers, we mean those who have used OneStopPhoneShop.com, e2save.com and Mobiles.co.uk, and also iD Mobile, TalkTalk Mobile and Talk Mobile. The division that runs these was the one successfully targeted by the attackers.

Those affected have been warned by email as we reported yesterday, but predictably, there are plenty of unhappy customers out there, and the ICO is currently investigating the breach.

In a statement, an ICO spokesperson said: “We have been made aware of this incident at the Carphone Warehouse and are making enquiries. Anytime personal data is lost there can be a risk of identity theft. There are measures you can take to guard against identity theft, for instance being vigilant around items on your credit card statements or checking your credit ratings.”

Given the scale of this incident, we should hopefully be hearing from the Information Commissioner on what possible action may be taken against Carphone Warehouse, if any.

Some customers are certainly clamouring for compensation, which is not unreasonable given that some of the advice Carphone Warehouse provided to those affected – namely checking credit ratings (as the ICO also advised) – costs money.

In its updated FAQ on the hack, under the question of whether compensation will be offered, Carphone Warehouse dodged giving a straight answer, simply stating: "At this stage our priority is to inform those customers affected. The first thing any customer should do who has concerns about fraud is to contact their bank or credit card provider [who can stop fraudulent transactions]. They can also contact Action Fraud, the national fraud reporting service."

A cynic might suggest that the company is seeing how much of a fuss is made from here on out – and what the ICO comes back with – before thinking about compensating folks. This one is unlikely to blow over quietly, though, to say the least.

Ken Odeluga, a senior market analyst at www.cityindex.co.uk, commented: "Unless further details emerge which are damaging, my view is that the impact from the breach is containable. The impact on CW shares will probably be negligible and the financial fallout I suspect will be zero.

"Whilst unfortunate, breaches such are these remain relatively rare and only a tiny fraction, if any, of the individuals exposed seldom can be expected to suffer any further harm at all, apart from a temporary loss of privacy.

"CW did not publicise the breach immediately after discovery, and that has opened it up for some criticism. However, CW undoubtedly followed best practice for remedial measures to the letter, which helps explain why securing the breach before publicising may have taken priority."