Re: Carphone Warehouse in customer data breach – BBC News

Re: Carphone Warehouse in customer data breach – BBC News

Re: Carphone Warehouse in customer data breach – BBC News

Customer FAQs
1. What happened?On August 5th we discovered that the IT systems of a division of Carphone Warehouse in the UK had been breached by a sophisticated cyber-attack. This division operates the websites OneStopPhoneShop.com, e2save.com and Mobiles.co.uk and provides a number of services to iD Mobile, TalkTalk Mobile, Talk Mobile, and to certain customers of Carphone Warehouse.

We took immediate action to secure these systems and launched an investigation with a leading cyber security firm to determine exactly what data was affected. We have also put in place additional security measures to prevent further attacks.

Our investigation has indicated that personal data which may include name, address, date of birth and bank details of up to 2.4 million customers may have been accessed. Encrypted credit card data of up to 90,000 customers may also have been accessed. We and our partners are contacting all those customers who may have been affected to inform them of the breach and to give them advice to reduce any risk and minimise inconvenience. Currys and PCWorld and the vast majority of Carphone Warehouse customer data is held on separate systems and has not been accessed during this incident. 2. Which sites were affected?This division operates the websites OneStopPhoneShop.com, e2save.com and Mobiles.co.uk and provides a number of services to iD Mobile, TalkTalk Mobile, Talk Mobile, and to certain customers of Carphone Warehouse. 3. When was the breach discovered?We discovered this on the afternoon of Wednesday 5th August and have been working intensively to establish the extent of the breach.4. How will I know if I have been affected by this attack?We and our partners are contacting all those customers who may have been affected to inform them of the breach and to give them advice to reduce any risk and minimise inconvenience. If you don't hear from us, your data hasn't been affected by this attack.5. What information was compromised?Our investigation has indicated that personal data which may include name, address, date of birth and bank details of up to 2.4 million customers may have been accessed. Encrypted credit card data of up to 90,000 customers may also have been accessed. We and our partners are contacting all those customers who may have been affected to inform them of the breach and to give them advice to reduce any risk and minimise inconvenience.6. Has my credit card information been stolen?Encrypted credit card data of up to 90,000 customers may also have been accessed. We and our partners are contacting all those customers who may have been affected to inform them of the breach and to give them advice to reduce any risk and minimise inconvenience.7. Are other brands impacted, Currys, PCWorld and Dixons Travel, KnowHow?No. The customer data of these brands is kept separate from the businesses that have been affected by this incident. 8. Why was the data being held by you?This was the information we collect and store through the normal course of business, which involves credit checking in order to set up mobile phone contracts.9. How did this cyber attack happen?This attack was a sophisticated one and is part of the reality of the modern world. Our priority is reducing risk and inconvenience for customers and continuing to build ever stronger defences.10. Has the issue been resolved?We took immediate action to secure these systems and launched an investigation with a leading cyber security firm to determine exactly what data was affected. We have also put in place additional security measures to prevent further attacks. 11. Does this mean I'm a victim of identity theft?Someone having access to your personal information or bank account details does not necessarily mean you have been a victim of identity theft or that your information will be used to commit fraud. We recommend that you take the appropriate steps to protect yourself, such as closely reviewing account statements for suspicious activity.12. What do you recommend I do to protect myself from identify theft and fraud?To reduce the risk of fraudulent activity, we recommend that you consider taking the following steps: - Notifying your bank and credit card company, so that they can monitor activity on your account
- Checking for suspicious or unexpected online or account activity
- Be wary of anyone calling asking for personal information, bank details or passwords
- You can check your credit rating to make sure no one has applied for credit in your name. You can do this by visiting Experian or Equifax
13. Have you reported this intrusion to the relevant authorities? Yes, as part of our investigation we have notified the Information Commissioners Office (ICO) and the police.14. Is it safe to continue using your website?Yes, we want you to feel safe in all dealings with us. We have also put in place additional security measures to prevent further attacks.15. What are you doing to prevent this from happening again?We took immediate action to secure these systems and launched an investigation with a leading cyber security firm to determine exactly what data was affected. We have also put in place additional security measures to prevent further attacks. 16. Will customers be held liable for fraudulent charges?Card issuers publish their own policies regarding fraudulent charges. Generally, issuers do not hold customers responsible for fraudulent charges if they are reported in a timely manner. Please contact your bank for details on their policy. 17. I recently noticed suspicious activity on my credit card. Is that related to this incident?If you think you have been a victim of fraud you should report it to Action Fraud, the UK's national fraud and internet crime reporting centre,
on 0300 123 2040.
18. Should I cancel my credit or debit card?To reduce the risk of fraudulent activity, we strongly advise you to notify your bank and credit card company. We also recommend that you take the following steps: - Check for suspicious or unexpected online or account activity
- Be wary of anyone calling asking for personal information, bank details or passwords
- You can check your credit rating to make sure no one has applied for credit in your name. You can do this by visiting Experian or Equifax.
19. How can I check if my credit rating has been impacted by this attack?You can check your credit rating to make sure no one has applied for credit in your name. You can do this by visiting Experian or Equifax20. Has my information already been sold or misused? We have currently seen no evidence of this. We encourage our customers to review their account statements and immediately notify their credit and debit card issuer if they suspect fraud on their accounts.21. I have previously provided my personal email address. Has this information been stolen?Because these records were taken from online transactions, the majority do include email address details.22. Why do I have to take these actions myself? Can't you do it for me?Due to data protection rules, we are unable to take these steps for individual customers. We regret any inconvenience this incident may have caused.