Carphone Warehouse has suffered a data breach what should you do – or not do?
What’s happened?
Personal details of up to 2.4 million Carphone Warehouse customers may have been accessed after the company was hacked, the mobile phone retailer has said. The data breach affects customers who used OneStopPhoneShop.com, e2save.com and the Mobiles.co.uk websites. It also provides services to iD Mobile, TalkTalk Mobile, Talk Mobile and some Carphone Warehouse customers.
What data have the criminals got?
Names, addresses dates of birth, phone numbers and crucially bank details – sort codes and account numbers – in short everything to you would need to start defrauding people.
The company said up to 90,000 customers may also have had their credit card details accessed, although these were encrypted, making that less of a risk.
What’s the company doing about it?
The company has apologised and says it is emailing all affected customers. It is also blocking access to the websites’ accounts.
When TalkTalk had a similar problem earlier this year, many customers complained they hadn’t been told about the breach. Carphone claims this has been headline news for days, meaning few will be unaware it has happened. However, many of those affected will have been on holiday and probably know nothing about it.
The company says it may contact affected customers by other means, if it gets an email bounce back. Critics say the Information Commissioner, which is investigating, should force the company to write to every person affected.
TalkTalk had the same problem didn’t it?
Yes – 480,000 TalkTalk Mobile customers are affected by this latest breach, and for many this is repeat performance. In late 2014, TalkTalk suffered a similar data breach but was slow to warn customers about the problem. Fraudsters then started ringing up customers pretending to be calling from the company quoting them their TalkTalk account numbers and other personal data. Having gained the victims’ trust, the fraudsters were able to extract thousands of pounds from their bank accounts in several cases. Victims have contacted the Guardian furious that TalkTalk has washed its hands of the matter and refused any liability. Others who have not lost out have been repeatedly phoned by fraudsters.
TalkTalk used to be part of the Carphone Warehouse group until they demerged in 2010. The two firms still have close commercial ties and may share similar back office systems.
I am one of the affected customers – what do I need to do?
Be very, very wary of anyone who calls up claiming to be from any of the affected companies, or anyone else in fact. If you get a call from the bank saying that they have noticed fraudulent transactions on any account, bank credit card etc, be on guard. Phone back – but only once you are certain that the fraudster has not kept the phone line open – still possible on millions of landlines. Phone a friend first to make sure the line is clear. Then call the bank. Don’t hand over any passcodes or passwords to anyone on the phone whoever they claim to be – especially if they say they are trying to make a payment into your bank account.
Anything else I need to know?
Keep a close eye on your bank statements and credit card bills for anything untoward. You should change any passwords on the affected accounts – and also any others if you used the same password elsewhere. A credit reference check will show up if anyone has applied for credit in your name. This can be done online or by post.
If reports start to emerge that the fraudsters have used this stolen data successfully, anyone whose data was lost should immediately register their details with Cifas. For £20 a year, the not for profit organisation will place a warning flag against your name and other personal details in its National Fraud Database. This tells retailers etc to pay special attention if your details are used to apply for their products or services. Knowing that you’re at risk, the store should carry out extra checks to make sure it’s really you applying, and not a fraudster using your details.
Will Carphone Warehouse pay for this?
The company is not offering to pay customers anything at the moment, but that could change. If it had to pay for each victim to register with Cifas it will cost it millions.
