The criminals who stole the names, addresses and other personal data of 2.4 million Carphone Warehouse customers in July used a DDoS attack to distract IT staff while they carried out the attack, sources have told the Daily Telegraph.
Experienced hands will doubtless shrug their shoulders at this news – using DDoS attacks in this way is far from new and has probably been used in a number of high-profile web breaches in the last few years.
As the newspaper points out, the most infamous example of this that we know of was the massive Sony PlayStation breach of 2011 although in some ways that is a bad example. The DDoS attacks were so large customers noticed. It might have been a distraction but it was anything but quick or stealthy and was therefore not typical.
In 2014 mitigation firm Neustar commented on the rise of ‘smokescreening’, noting that during the previous year around 20 percent of global DDoS victims has detected data theft later on. The number affected in the UK is hard to extrapolate but one in three firms reported experiencing DDoS attacks.
The same year, 2013, Bitcoin startup BIPS reportedly lost $1million in virtual currency after a crippling DDoS attack.
These attacks might not be uncommon, but the fact that one might have been used against Carphone Warehouse tells us something worrying. These attackers didn’t just find a way in and came with the express intention of stealing data from the company. They had almost certainly done enough reconnaissance to know it would succeed, and anticipated the effect of a DDoS attack on the defenders.
Conclusion: the personal data they took won’t disappear into a black hole never to be seen again and will traded or used in future attacks.
Image credit: Arbor Networks Atlas