The personal data of 2.4 million Dixons Carphone customers – including names, addresses, dates of birth, email addresses and bank details, as well as the encrypted credit card details of 90,000 people – has been affected by a data breach.
Carphone Warehouse’s FAQs for concerned customers – published at the weekend, three days after the breach was discovered – provides more detail:
“On August 5th we discovered that the IT systems of a division of Carphone Warehouse in the UK had been breached by a sophisticated cyber-attack. This division operates the websites OneStopPhoneShop.com, e2save.com and Mobiles.co.uk and provides a number of services to iD Mobile, TalkTalk Mobile, Talk Mobile, and to certain customers of Carphone Warehouse.”
According to the BBC, Dixons Carphone CEO Sebastian James said: “We are, of course, informing anyone that may have been affected, and have put in place additional security measures.
“We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems.”
On the same day the cyber attack was discovered, the Guardian reported that Mr James “could earn up to £4.9m next year if he meets performance targets” for the retail group.
Disgruntled customers who took to Twitter to vent their frustration about the data breach will doubtless be interested in the investigation that the Information Commissioner’s Office (ICO) is conducting into the incident. If found guilty of any breaches of the Data Protection Act 1998 (DPA), Dixons Carphone could be liable for fines of up to £500,000.
City AM reports that shares in Dixons Carphone – Carphone Warehouse’s parent company – fell 1.7% after the data breach was announced, but soon started to recover.
ISO 27001 and best-practice cyber security
Principle 7 of the DPA states that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
As the ICO itself notes, ‘There is no “one size fits all” solution to information security. The security measures that are appropriate for an organisation will depend on its circumstances, so you should adopt a risk-based approach to deciding what level of security you need.’
An information security management system (ISMS), as set out in the international standard ISO 27001, provides such a risk-based approach to enterprise-wide information security. Implementing an ISMS enables organisations of all sizes, sectors and locations to mitigate the risks they face with appropriate controls. An ISMS addresses people, processes and technology, providing an enterprise-wide approach to information security based on the risk appetite to match the specific threats the organisation actually faces, limiting the inadvertent threats posed by untrained staff, inadequate procedures and out-of-date software solutions.
ISO 27001 Packaged Solutions
Priced from only £380, IT Governance’s ISO 27001 Packaged Solutions provide unique implementation resources for all organisations, whatever their size, budget or preferred project approach. Combining standards, tools, books, training, and online consultancy and support, they allow all organisations to implement an ISMS with the minimum of disruption and difficulty.