Data Breach: A Personal Experience

The personal information of up to 2.4 million customers of Carphone Warehouse and its related brands have been stolen in a cyber attack in news that emerged over the weekend. According to various accounts, the attack was discovered on Wednesday 5 August and affected customers notified three days later on the Saturday. The news then broke rapidly across the UK news media.

The company states it wrote directly to all affected customers and the Information Commissioner’s Office has said it will launch an investigation. However, this story has a personal angle for me, which I think highlights some of the issues around how such events are communicated. I’m a Carphone Warehouse customer, I bought a phone contract from them two years ago, which was recently renewed through their related brand, Talk Mobile.

I didn’t get an email from Carphone Warehouse, but by coincidence I saw the story when it first broke on the BBC on Saturday morning. At that time the story mentioned that customers with Talk Mobile may also have been affected. About an hour after the story broke I got onto the Talk Mobile website and there was no information about the breach. I then contacted customer support via an online chat service.

They had clearly not been told and knew nothing about the breach. I got a standard line about how they take security very seriously and my information was perfectly safe. I changed my password and monitored the website over the weekend, but it was not until Monday that any information was published. At least it was prominent on the home page – unlike the Carphone Warehouse site which buried it in the News section.

Direct communication

However, the messaging here was not altogether reassuring either. It stated that ‘attempts’ were being made to contact customers and if I “don’t hear” anything, I’m okay. However, it gave no indication of when I might have expected to hear, so now I am in limbo. My best guess is that I probably haven’t had my data stolen on this occasion and of course I am happy about that. But I am not happy that I have to rely on that best guess. My trust in the company, such as it was, has been diminished because I feel as if I have no meaningful reassurance of safety. I would have felt much more confident if I had received a direct message that told me:

a) The breach took place
b) My data was not lost.

It may be that they can’t be sure about b) yet, so they can’t tell me that but I still feel left in the dark. Data breach notification is difficult, investigations and decisions have to be made in a fast moving environment, I know this. I also know that the priority has to be with those people who definitely have had their information compromised. However, this is more than just about compliance, it is about much broader brand damage limitation.

In that context, some kind of direct message to me as a customer, even to tell me I’m probably not at risk would have been very reassuring. Anything really would be good. I don’t think you can over communicate in a situation like this.

This is doubly important because of the data they hold about me. Personal information I cannot change, but which exposes me to identity theft if it has been lost. Maybe the thieves did get it, but somehow I got missed off the communication list? That can easily happen, especially when communicating in a crisis situation.

Carphone Warehouse may not have lost my information and I will probably never know but they have certainly lost my trust, simply by failing to acknowledge me as a customer at a time of uncertainty. Only time will tell if they will try to restore it again before I can leave them for someone else.

Richard Beaumont is Privacy Services Manager at Governor Technology. You can follow Richard on Twitter @Richard_TCC.