Number of customers breached: 2.4 million (90,000 credit card numbers)
Brands affected: TalkTalk Mobile, Talk Mobile, OneStopPhoneShop.co.uk, e2save.com
Data taken: not credit card numbers but names, addresses, dates of birth
Was it sophisticated? The word has become meaningless. All breaches are now described that way
Period of breach: around two weeks to 5 August
Repercussions? It’s been reported to the ICO so financial penalties will be modest
Comparable UK breaches: Sony (2011), Mumsnet (2014), eBay (2014) Moonpig (2015)
Forensics deployed: an expensive firm has been hired to work out what happened
Good luck to the 2.4 million customers of Carphone Warehouse many of whom will now have to change their credit cards after the latest breach to affect a UK online retailer.
In fact only 90,000 credit card details were part of the lost data and those were encrypted, the company said, but the cards will doubtless be changed anyway - as a precaution you understand.
But it will be much harder for the same 2.4 million people to change the other data that was lost, including names, addresses, dates of birth and bank details. Changing a credit card is easy and is necessary to protect the issuer and data holder from fraud or insurance costs, not to protect the customer, who is never liable in this sort of incident.
Names, birthdays and addresses are more permanent and in the case of an unfortunate 2.4 million Britons these details are now in the hands of cybercriminals who will use them to build long-term profiles of the world’s citizenry in order to carry out future crimes.
It’s a sobering thought. Once your name and birthday has been stolen in this way it is out there forever, for the rest of your life. It can’t be revoked or recalled. That might not matter this week or this year but ten years from now who knows what cybercriminals could invent to make use of it, to threaten, to extort, or simply to terrify.
The most arresting thing about this incident isn’t simply that it happened but that it has become routine.
As is usual in these cases, we know relatively little about the mechanics of the breach but there are some important details that have been revealed. The most significant is that the breach is believed to have occurred on or after 22 July, up to a fortnight before the company discovered it. This is actually a fairly rapid discovery by breach standards - many of the worst retail breaches that hit US retailers in 2013 took anything from weeks to months to spot.
The problem is that ‘when’ the breach occurred can mean anything. It might have occurred on one day or have happened over a period of time before that. Just because Carphone Warehouse traced it to that date doesn’t definitively mean it couldn’t have been happening earlier.
Will the imminent EU General Data Protection Regulation (GDPR) make any difference to this type of case? Only because the possible fines will rise above today’s paltry £500,000 limit, a trifling sum for businesses turning over billions. In future that will turn into millions, possibly tens of millions, and possibly even hundreds of millions if the case is serious enough.
As for the future, we should draw two conclusions from the almost casual manner in which these breaches seem to be occurring. First, consumers should be a lot more careful who they hand their personal data to. At the moment, people are complacent about the long-term effects of breaches, seeing of the dangers only in the narrow terms of possible financial loss. That is naive.
Second, it is not good enough for large, well-resourced businesses to say ‘sorry’ for data breaches, take a tiny fine from the ICO and perhaps some bad publicity, and then just move on. People in their 20s and 30s are losing incredibly personal aspects of their identity such as names and addresses to cybercriminals. History tells us that will come back to bite them one day in a future world where that sort of knowledge is even more powerful and defining than it is now.
Image credit: SafeNet, from the firm's Breach Level Index