UK-based mobile device retail giant Carphone Warehouse has admitted that up to 2.4 million of its customers may have had their names, addresses and bank account details stolen by hackers in one of the largest and most sophisticated cyberattacks ever to have taken place in the country.
Carphone Warehouse released a statement which said that its websites and internet services were compromised by hackers during the "sophisticated cyberattack" which took place almost two weeks before the company came to know about it on Wednesday.
Three of the retailer's online businesses which provide services related to mobile contracts were breached. The hackers may have accessed the encrypted credit card data of up to 90,000 customers, according to the statement.
Carphone Warehouse claims the "vast majority" of its customers have not been affected by the hack, as their details are held on separate systems which were not accessed during the attack. It added that it is in the process of contacting those impacted with advice on additional steps to take. The company has been heavily criticized for waiting three days after knowledge of the breach came to light before it started notifying customers.
"We are, of course, informing anyone that may have been affected [...] We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems," said Sebastian James, group chief executive of Dixons Carphone in a statement.
The company said it has now implemented additional I.T. measures to prevent such attacks in the future, and that it has also recruited a cyber security firm to investigate how the breach took place.
Carphone Warehouse now risks being fined $773,000 by the Information Commissioner's Office (ICO) if it is found to have provided inadequate protection for its customers. Sony was fined $386,000 in 2013 by the data watchdog for a breach that compromised the personal information of millions of PlayStation Network users.