Kelly Fiveash reports:
Carphone Warehouse has taken three days to go public about a serious data breach affecting nearly 2.5 million customers – with the confession that up to 90,000 subscribers may have had their credit card info ransacked.
The company said in a statement on Saturday afternoon that it had first discovered its systems had been violated by a “sophisticated cyber-attack” on 5 August.
Encrypted credit card data of up to 90,000 customers may have been lifted by malefactors, it added.
Carphone Warehouse said its websites OneStopPhoneShop.com, e2save.com and Mobiles.co.uk had been affected by the attack. Those sites provide services for customers at iD Mobile, TalkTalk Mobile, Talk Mobile and an undisclosed number of Carphone Warehouse customers.
Read more on The Register.
Update 1: A copy of TalkTalk’s email notification was posted on Pinterest, here.
Update 2: TalkTalk has posted a notice and FAQ here. From the FAQ:
Carphone Warehouse is still investigating the exact circumstances of the attack, and at the moment we cannot say for certain that this data has been accessed. The customer data held by Carphone Warehouse was:
Personal details
Title
First Name
Last Name
Marital Status
Date of Birth
Address details
Address
Residential status
Years/months at address
Previous address
Previous residential status
Years/months at previous address
Delivery address
Contact details
Home phone
Daytime phone
Bank details
Bank account number and sort code
Years/months at bank
Occupational details
Occupational status
Years/months in current job
Account details
Created date
TalkTalk account ID
TalkTalk customer ID
TalkTalk landline number
Accept threshold
The credit card numbers of customers who have taken out a mobile product in the last two weeks was also present, but this data was encrypted. In some cases, TalkTalk My Account usernames and passwords were also held.