Carphone Warehouse Hackers May Have DDoS-ed Firm

Hackers who stole personal and financial data from over two million Carphone Warehouse customers may have fired a DDoS attack at the firm’s network prior to that event, according to a new report.

An anonymous source “with knowledge of the attack” told The Telegraph that the attackers bombarded the Carphone Warehouse’s IT systems with traffic in the run up to the data grab – possibly to distract the IT team.

The mobile phone vendor admitted at the weekend that it had suffered “a sophisticated cyber attack” first discovered last Wednesday.

Personal info including names, addresses, dates of birth and – more importantly – bank details may be among the information stolen, it claimed in a statement.

Up to 2.4 million customers may have been affected, and the Carphone Warehouse also admitted that encrypted credit card data from up to 90,000 customers was at risk.

Bloxx CEO, Charles Sweeney, argued that IT teams are going to have to gain better visibility and generate “exceptional diagnostics” if they want to get on top of increasingly sophisticated multi-vector attacks.

"Cyber criminals are constantly looking for ways to provide 'cover' for their activities and they do this by creatively distracting IT teams or crafting other problems within the network to divert priorities,” he told Infosecurity.

“Multi-vector attacks are only going to increase, in regards to both frequency and sophistication, and IT teams will encounter challenges understanding what is a 'genuine' and what is 'not’.”

However, it’s not 100% certain that the DDoS happened, according to security consultant, Graham Cluley.

He argued that if a large amount of data was stolen from the firm then the mere act of probing for and exfiltrating that data might have given the appearance of a DDoS attack.

Meanwhile, CipherCloud vice president of cloud security and strategy, Chenxi Wang, argued that the ICO may need to get involved, given that the Carphone Warehouse’s Talk Talk brand was breached last year.

“Given the circumstances, I would advise ICO to consider if Carphone Warehouse has since tightened security controls for protecting customer information,” she added.

“It would demonstrate extreme negligence on their part to have made no real changes to their security postures. This time around, the resulting penalty must have teeth to stop repeat offenders and compel companies to improve the robustness of their security measures.”

What’s Hot on Infosecurity Magazine?