2.4 Million Customer's Records Stolen From Carphone Warehouse

AmiMoJo writes: The UK's data watchdog is "making inquiries" after Carphone Warehouse said the personal details of up to 2.4 million of its customers may have been accessed in a cyber-attack. Details taken include names, addresses and bank account details. Additionally, 90,000 people's "encrypted" credit card details were accessed, but there is no word on what type of encryption was used. Customers are advised to contact their banks (who I'm sure will be ready to handle 2.4 million phone calls), keep an eye on credit records and contact Action Fraud, the UK police's outsourced and rather useless fraud reporting centre that last month went bankrupt.

Re:

[umghhh]

They should not be doing this because?

Re:

[amalcolm]

Its just a brand name .. they sell mobile phones. They kept the name because apparently it hasd brand value

Re:

[nitehawk214]

Its just a brand name .. they sell mobile phones. They kept the name because apparently it hasd brand value

Brand value? So they are also idiots in marketing as well as security.

At Least...

[sycodon]

...it's not something Paul Potts [youtube.com] has to worry about.

ROT-13, twice

[John Bokma]

"Additionally, 90,000 people's "encrypted" credit card details were accessed, but there is no word on what type of encryption was used" Wouldn't surprise me if it was ROT-13, applied twice for twice the security :-(.

Re:

[AmiMoJo]

I like the way their attitude is "sorry, now sort it out yourself LOL". They should contact affected people's banks and either set up their own fraud reporting service or donate some serious cash to Action Fraud. Hopefully the ICO will give them a punishing fine for this.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[tompaulco]

There are serious restrictions on what can and what can not be done due to privacy laws in Europe.

For example, is it illegal to store a credit card number, even if encrypted? It ought to be.
In the United States, if you take all the precautions required under PCI, you can store the credit card, but it is far safer to only send the credit card number to the processor once and receive a token back which is a hash associated with the card AND with your merchant account so even if stolen and somehow used, it cannot be used for the benefit of the thief.

Re:

[Behrooz Amoozad]

I think Harakiri/Sepukku is what you mean because Harakrishna is an Indian name.

Re:

[omnichad]

Is that the code where 1 becomes K, 2 becomes L and so on?

Re:

[AmiMoJo]

It's an old name, they don't actually see carphones any more, only normal mobile phones (and some really shitty hands-free kits for your car). They actually had the good sense to keep their name, despite it being outdated.

Brand management idiots will often recommend rebranded, but it's almost always suicide. Coco-Pops became something forgettable and then had to change back. Royal Mail became Consignia and then had to change back. People recognize Carphone Warehouse now, despite it not selling carphones or

Re:

[Anonymous Coward]

Actually, they merged with Dixons, and changed their name to Dixons Carphone, which is utterly retarded. They changed their name, AND held onto the half which has been completely redundant for at least 10 years...

Re:

[JaredOfEuropa]

Dixons Warehouse would have made even less sense.

Carphone warehouse is a nice, sensible (and yes: somewhat outdated) name. These days a lot of companies seem to go for utterly forgettable faux Latin names, or they take regular words but spell them slightly different, preferably using Qs and Zs. Ugh. Makes me long for the day when founders of a company would often just stick their own names on the door. A recent example: Andrews and Arnold Ltd, an ISP in the UK. Goes against every modern branding gui

Re:

[Godwin O'Hitler]

In their international operation, Carphone Warehouse becomes just "The Phone House". And it has been so for over 15 years.
So I guess if the UK operation is still called Carphone Warehouse, they must still be in love with it.
I don't personally see the advantage in passing through a middleman. Same phones, same operators, same contract.

Re:

[Viol8]

"I don't personally see the advantage in passing through a middleman."

Getting a choice of different operators and phones all in one shop is the advantage.

Re:

[alex67500]

They usually end up pushing customers to the provider that gives them the best kick-back at the time, so no quite so independant...

Re:

[badzilla]

It has also done well at retaining its colloquial name which is Crap-phone Whorehouse.

Re:

[Xiaran]

You forgot the geek one. Borland -> Inspire. One of the most recognised names in the software industry and they change it to one of the worst.

Re:

[AmiMoJo]

HP -> Agilent -> Keyshite.

Agilent was okay I guess, but Keysight is terrible.

Re:

[operagost]

They should sell every smartphone velcro-ed into a little bag with one of these packed in:

http://www.nativeunion.com/us/... [nativeunion.com]

Re:

[geekmux]

It's an old name, they don't actually see carphones any more, only normal mobile phones (and some really shitty hands-free kits for your car). They actually had the good sense to keep their name, despite it being outdated.

Brand management idiots will often recommend rebranded, but it's almost always suicide. Coco-Pops became something forgettable and then had to change back. Royal Mail became Consignia and then had to change back. People recognize Carphone Warehouse now, despite it not selling carphones or being a warehouse.

Recognize them? Oh yeah, I remember them now! They're just down the street from Bobs Buggy Whip Emporium.

As much as you want to spread the bullshit here, there are valid reasons to change company names. This would be a textbook example of one, as the only reason people remember them today is because they've reduced themselves to a punch line as twentysomethings turn to Urban Dictionary to figure out what the fuck a car phone is, and why Apple doesn't make one today in 17 colors.

I'm from England

[Anonymous Coward]

My face when an American called a touchy-wuchy mobile-carphone an "iPhone" near me.

Unsurprising

[uberjack]

It's what you get when you hire the likes of Darren Lamb.

Where were the keys stored?

[SwashbucklingCowboy]

Doesn't matter if they were encrypted if they decryption key(s) were also stolen...

Re:

[invictusvoyd]

One spare key was beneath the doormat . Just in case.

Re:

[Anonymous Coward]

Thank you for spamming your business URL in reply to a web site breach article on a site where literally millions of people are seeking a target. I was very bored, sitting here in my office with the windows painted black, wondering where I should focus my attention. And it seems you offer low hanging fruit. Port 135 and 1433 exposed? Really?

Domain: propertyhubs.com
IP: 100.42.56.20
stats.cascara.arvixe.com (100.42.56.20)
NetName: ARVIXE-NETWORK-1
City: Santa Rosa
StateProv: CA
OrgAbuseEmail: abuse@a

Re:

[Anonymous Coward]

Could be someone posting someone ELSE'S url ...

security breach fatigue

[k6mfw]

It seems every day there's some breach where millions of people are affected. It seems like same ol' same ol'... like traffic accidents typically not reported.

Re:

[umghhh]

He is a simpleton enough to actually do it, me thinks. I also find it amusing that he has some societal uses after all. Seems everybody can do some good.

Re:

[guruevi]

Because people treat these companies as victims to the crimes, not accessories to the crime or criminally negligent. If anyone in politics/policing would actually know anything about cybercrime, they would charge them as either accessories or negligent.