The personal data, including bank details, of Carphone Warehouse customers have been accessed in a "sophisticated cyber-attack". Personal details of up to 2.4 million customers may have been accessed as well as 90,000 credit and debit card records.
As the company and the Information Commissioners Office now investigates how its IT systems were compromised, it calls into question once again how prepared some of our biggest and most trusted organizations really are in the ever evolving battle against hackers and advanced cyber threats.
Andrew Avanessian, VP at endpoint security company Avecto, said that such attacks should and can be planned for and prevented:
"Though exact details on the route to entry in this attack remain fairly limited, it's likely that the retailer's detection mechanisms simply didn't flag the attack until it was too late. The result of this failure has compromised not only the credit and debit card details of some 90,000 people but also jeopardised their customer's identities, something increasingly more valuable to today's hackers and cyber criminals.
"While it's too early to start pointing the finger at other root causes, time and time again these kinds of attacks often stem from the exploitation of innocent employees through privilege abuse. For example, a hacker will find their way onto the corporate network and once there seek out employees with admin privileges, creating an open door to sensitive business information.
"It's important therefore to stress that prevention is possible. Business can and should limit their exposure to this risk by adopting a least privilege approach to user access. Business should prepare for when they are targeted, not if, and taking control of who has access to what is the obvious starting point. This approach is complemented by tight control of applications and the mitigation of internet borne malware through sandboxing, creating multiple layers of defense to prevent and protect against these kinds of threats.
"Customers of the Carphone Warehouse should also remain vigilant and not engage in unsolicited contact that requests personal or financial information. If they are unsure about what they are being asked or have reservations about the nature the contact they should hang up and make a call back to the company's official number to confirm authenticity."