What does the Carphone Warehouse data breach mean for ecommerce and multichannel retailers? We asked the experts.
The news that Carphone Warehouse IT systems were breached earlier this month in what the company describes as a “sophisticated cyber-attack” will resonate across the ecommerce and multichannel retail industries.
While shoppers with the affected websites, OneStopPhoneShop.com, e2save.com and Mobiles.co.uk, will rightly be concerned about the loss of personal data that could include name, address, date of birth, bank details and encrypted credit card data, the attack has far wider implications. If Carphone Warehouse, part of leading UK electricals retail business Dixons Carphone can lose such vital information then other retailers must also be concerned about the safety of their systems. Such a breach has enormous implications for a business.
Even though customers with Currys, PC World and the “vast majority” of Carphone Warehouse customers have not been affected, still, Carphone Warehouse must now contact up to 2.4m customers to advise them on the potential misuse of their personal and bank details, and up to 90,000 customers to let them know their encrypted credit card details may have been taken. It’s an enormous task, that doesn’t stop there. The company has launched an investigation with a cyber security firm to find out what data has been affected and has put extra security measures into place to prevent further attacks. “We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems,” said Sebastian James, group chief executive of Dixons Carphone. “We are, of course, informing anyone that may have been affected, and have put in place additional security measures.”
Across the UK, retailers of all sizes hold such information on their customers. How can they best ensure they avoid the logistical, reputational and no doubt financial repercussions that Carphone Warehouse is now experiencing?
Mike Spykerman, VP at OPSWAT, which provides solutions to protect against phishing and malware, says data breaches are “no longer a question of if, but when.”
He added: “At least some of the information at Carphone Warehouse was encrypted, but still a lot of personal data was not. Data breaches often start with a spear phishing attack that evades detection from regular spam filters and single anti-virus engines. By using multiple anti-virus engines, the possibility that a spear phishing attack is detected is considerably higher. To avoid cyber attacks being successful, companies should prepare their defences by deploying several cyber security layers including device monitoring and management, scanning with multiple anti-malware engines, and advanced threat protection.”
Mark Bower, global director at HP Security Voltage, which provides data-centric security software solutions, says this attack is a “clear signal that contemporary data encryption and tokenization for all sensitive fields, not disk or column level encryption for credit cards, is necessary to thwart advanced attacks that scrape sensitive data from memory, data is use, as well as storage and transmission.”
He added: “Disk encryption protects data at rest, but it’s an all or nothing approach that leaves exploitable gaps: applications needing data have to decrypt it every time. Yet advanced attacks steal data in use and in motion.
He says retailers now need to learn from the banking and payment processing industries in protecting their data.
“Another problem is that, while firms may focus on credit card data to meet basic PCI compliance, attackers will steal any sensitive data like account data, contact information and so on as they can repurpose it for theft. There are effective defences to this.
“Today’s new-breed of encryption and tokenisation techniques can render data itself useless to attackers, yet functional to business needs. This technology, such as Format-Preserving Encryption, is proven in leading banks, retailers and payment processors who are constantly bombarded and probed by attackers. By securing customer and card data from capture over the data’s journey through stores, branches, databases and analytic systems, businesses can avoid unnecessary decryption required by older generation disk or database encryption techniques. Data can stay protected in use, at rest, and in motion, and stays secure even if stolen. Modern vetted and peer reviewed data encryption is infeasible to break on any realistic basis. Its a win-win for business, as it can be retrofitted to existing systems without complications and business change. Attackers who steal useless data they can’t monetize quickly move on to other targets.”
Matt Newing, chief executive of telecoms and unified communications provider Elitetele.com, says retailers must ensure they have PCI compliant technology in place to protect consumer data. By doing so, and communicating that fact to customers, retailers will overcome the doubts of the four in five shoppers it found, in recent research, were not confident their financial information was secure when paying over the phone. “Having the correct technologies in place allows a business to protect consumer data so it can proactively communicate its compliance to its customers, earn their trust and therefore safeguard the growth of the business,” he said.