back to article Huge hack attack: UK data cops to probe Carphone Warehouse breach

Britain's data watchdog plans to investigate a massive hack attack on Carphone Warehouse's systems, which has put 2.4 million customers at risk of having their personal info ransacked by wrongdoers. On Saturday afternoon, the company coughed to the mega data breach and added that up to 90,000 subscribers may have had their …

  1. Anonymous Coward
    Anonymous Coward

    The ICO will be as useless at penalising this behaviour as they are with public sector bodies. Now I do realise that cash sanctions seem to be pretty much their only recourse, but managers /execs never seem to suffer. My crystal ball shows that this will be the same here - probably (its a little hazy on this point) with lower penalties.

  2. This post has been deleted by its author

    1. hatti

      Possibly because they get a percentage of each transaction. Having said that there is sometimes scant attention to security on some builds, partly because security is just not as sexy as selling shiny plastic and metal things until something like this happens, and partly because it is not fully understood.

    2. mark 120

      What, and dent their profits?

      They won't remove a retailers ability to take card payments while they can continue to make money from those payments, and while they don't stand any losses which do occur - the latter point is the whole reason for PCI, after all.

  3. Doctor Syntax Silver badge

    I'd have thought that they would be on the hook for any losses between the breach and the notification and beyond allowing for a margin for customers to pick up the communication and act on it. It may, of course, be covered by insurance but their insurance cover should be more expensive in the future.

    At some point insurers are going to start demanding more information about the risks they're covering so the IT equivalent of an 18 year-old Ferrari driver is going to find cover much more expensive if not impossible.

  4. Mark 85 Silver badge

    3 Days?

    However, as noted by The Register yesterday, it took the company -.... – three days to go public about the hack.

    Well, think about it. If you want to bury a sensitive story about something bad happening, when's the best time? Certainly not during business hours on a weekday.

  5. Zog_but_not_the_first

    As the secure Internet crumbles

    You might as well get your passwords printed on a T-shirt (or several) so you could remember them.

    Great choice of pic though.

  6. Anonymous Coward
    Anonymous Coward

    Every attack is sophisticated because it'll have been done in such a way whereby the developers would never have thought about doing it that way.

    So, really, "sophisticated attack" is PR bullshit for "Well they hacked it in a way we didn't think was possible, because we really thought we were the dog bollocks when it came to development".

    1. gr00001000


      Or they hacked the central network of the company using an APT with targeted malware and exfiltration.

      Because their CIO and senior admins haven't learnt about APT protection providers.

  7. mark 120

    When did they notify Visa etc / their acquirer, as required under PCI rules?

  8. alain williams Silver badge

    Why I did not buy from carphone warehouse

    I tried to buy 2 new 'phones from carphone warehouse a few weeks ago, an outright purchase, not on contract, I have a connection only SIM with giffgaff. They asked for my name, address, ... I refused saying I was buying a 'phone & saw no reason to give them all of that. They said that it was company policy to insist on the information and refused to sell anything to me without that info. I left and bought what I wanted elsewhere.

    I now feel quite happy that I did insist on preserving my privacy.

    1. James Pickett

      Re: Why I did not buy from carphone warehouse

      "company policy to insist on the information"

      I wonder if it still is..?

  9. JLV

    naive question

    is there no better way?

    Why does CarPhone need to store your CC info in the first place? Can't they just pass you the terminal, have it upload the transaction data and your PIN and receive an confirmation of accepted transaction from Visa in return? With an confirmation id so that the stuff can be tracked back later on if needed? No need to store any of your CC data in that case, Visa takes that role on and they have every incentive to protect it.

    Why, instead of expecting anything useful out of merchant security, does Visa & all not work that way in general? Or at least maybe give a transaction cut discount to retailers doing that.

    I get that Amazon wants to store your CC data, it's very convenient not to have to reenter it every time. But in a store setting you still need provide the card physically every single time. Why store anything about it if Visa can look after that? Even store-issued cards are still managed by CC companies.

    Or was this breach on the website end of things rather than the stores?

    This is an honest question, I am not POS-savvy in the least.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021