NEWS ANALYSIS: The security industry explains how consumers and businesses can protect themselves from this hack and against future data breaches
Over the weekend, Carphone Warehouse admitted the personal details of up to 2.4 million customers could be in the hands of criminals following a cyber-attack last week.
This includes as many as 90,000 encrypted credit card details but also other information like names, addresses, bank details and dates of birth.
The police and Information Commissioner’s Office (ICO) are already looking into the matter, but what can consumers do to protect themselves and what steps should businesses take to ensure they can protect themselves from being the next victim of a data breach?
Thierry Karsent, technical director at Check Point
“Armed with the data they already have, attackers are likely to try and trick those affected by the breach into revealing further details, such as account numbers and passwords. For the attackers, it’s just a numbers game, but it could have serious consequences for customers.
“Phishing emails continue to be the most common source for social engineering attacks, so customers should be suspicious of any emails, or even phone calls, that relate to the breach, and should not give away more information.”
Mark James, security specialist at ESET
“Data from this breach may well be used in an attempt to directly log into other financially related systems as some people still fail to have unique passwords for different online accounts. This data may also be used in targeted phishing attacks to get more useful data that could also be used for identify theft or other malicious purposes.
“We all know how to handle that random caller or email that tries to scam us with a half-hearted attempt at gaining our trust but if they are armed with some kind of information that is true along with some knowledge of our explicit data ( names, addresses) that trust could be the stepping stone to a successful scam being completed.
“Data will be circulated and used elsewhere for ongoing spam or malware campaigns, all data has a value and we need to understand that any information can be used for malicious reasons.”
“Be vigilant against people calling or emailing with sporadic bits of information in an attempt to gain more data about you. Change your passwords NOW, also remember that you can use different bits of information when filling out forms or applying for web page access. You don’t need to tell the truth about your favourite colour or your first dog’s name.
“Speak to your bank or financial organisation so they are aware and if still concerned sign up for a reputable credit checking organisation to keep an eye on your credit activity. Lastly keep an eye on your bank statements especially small sporadic payments that are classed as “under the radar” that sometimes can be used to test your bank details.”
Amichai Shulman, CTO of Imperva
“I think that this is a good example of how media and “normal” people sometimes overlook what attackers are extremely fast to understand. How can someone even bother to mention 90,000 credit card numbers (which seem to be encrypted) when 2.4 Million records, that include bank account numbers as well as personal details, have been stolen.
“Credit card numbers are replaced in a jiffy. Bank accounts are a mess to replace and no one would change their phone number or address as a consequence of a breach. So basically attackers now have ‘immutable’ information about millions of individuals. This is something to worry about.”
Mike Spykerman, vice president at OPSWAT
“The reality is that data breaches are no longer a question of if, but when. At least some of the information at Carphone Warehouse was encrypted, but still a lot of personal data was not. Data breaches often start with a spear phishing attack that evades detection from regular spam filters and single anti-virus engines.
“By using multiple anti-virus engines, the possibility that a spear phishing attack is detected is considerably higher. To avoid cyber attacks being successful, companies should prepare their defences by deploying several cyber security layers including device monitoring and management, scanning with multiple anti-malware engines, and advanced threat protection.”
Jason Hart, data protection CTO at Gemalto
“While reports have stated that Carphone Warehouse encrypted some data, it has not been confirmed whether all its customer data was encrypted. It is essential that all personal data is 100 percent encrypted.
“Coupled with this, organisations should invest in a standards-based enterprise key management strategy that should include specific methods of limiting access to keys, defining how those keys are issued and distributed, and providing protections for them as they are stored. Without these considerations, keys could be copied, modified or even impersonated by a skilled hacker, who could then access cardholder data.
“To really get to grips with data protection, organisations need to move to a framework that is centred on the data itself. This means focusing on specific points of vulnerabilities, and using end-to-end encryption and key management to secure data from the earliest possible moment of its capture, ensuring it remains in an encrypted state consistently until it arrives at the payment gateway.”