The BBC reports the UK smartphone retailer’s owner, Dixons Carphone, discovered the breach on August 5. The attack could have been ongoing for up to two weeks before that date.
The data taken includes customer names, addresses, birth dates and bank details, according to a preliminary internal investigation conducted by the company during the past few days. It affects people who shopped on websites OneStopPhoneShop.com, e2save.com and Mobiles.co.uk, as well as some purchasers on the main Carphone Warehouse website.
The brands also provide phone contracts to people using iD Mobile, TalkTalk Mobile and Talk Mobile so these customers may have been hit too. The BBC reports that 480,000 TalkTalk Mobile customers may be affected.
Carphone Warehouse is currently the only independent high-street mobile phone retailer in the UK. After Phones4You closed its doors last year, Carphone Warehouse has been left as the only place where UK consumers can buy phones from a physical store that isn’t owned directly by a mobile network. The retailer’s parent company, Dixons Carphone, was created last year when Carphone Warehouse merged with Dixons Retail, the owner of brands including Currys and PC World.
The company has said the “vast majority” of customers on carphonewarehouse.co.uk are not affected. Dixon’s other UK retail arms, branded as Currys and PC World, also use different systems and have not been impacted by the hack. People who may have had details taken will be contacted as soon as possible.
The BBC reports that Sebastian James, chief executive of Dixons Carphone, said in a statement: “We are, of course, informing anyone that may have been affected, and have put in place additional security measures. We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems.”
Although Dixons Carphone has now apologised for the incident, many customers aren’t happy that the company has delayed revealing the details until three days after it became aware of the issue. If the hackers have successfully decrypted card data then they could have been using the credentials for days without the owners knowing.
Dixons Carphone will be notifying affected customers as soon as possible and will be providing advice on how to protect themselves against card fraud. People who have had their details stolen should notify their bank and card company and scrutinise new bank statements for any suspicious activity.
Carphone Warehouse shut down all of the affected websites as soon as the problem was found on Wednesday afternoon. The retailer is now likely to face scrutiny from the Information Commissioner’s Office to ensure that it is adequately protecting sensitive customer details. If it is found to be neglecting its duties, a fine of up to £500,000 could be imposed with compensation going to those affected by the breach.