Why was Carphone Warehouse keeping customer passwords in plain text, just months after it was hacked? [UPDATED]

If customer credit cards were encrypted, why weren't current account details? Security specialists respond

When Carphone Warehouse was hacked at the end of 2014, the company was keen to reassure customers. "As part of our ongoing approach to security, we constantly test our systems and processes using external security consultants," it told customers.

"Please rest assured that your sensitive information of date of birth, bank, or credit card details have not been illegally accessed," the warning email added. Yet, six months later, systems run by Carphone Warehouse for its demerged communications arm TalkTalk were also hacked - this time with a release of customer data that, the company admits, included unencrypted personal information.

Yet, if the organisations really did employ external security consultants to test systems and processes, why were some customers' passwords apparently stored in plain text, as TalkTalk's own customer care team admitted on Twitter this weekend after it was successfully attacked?

What is worse, said Amichai Shulman, chief technology officer of security company Imperva, is that while the credit card details were encrypted, the more valuable and harder to replace current account data was not.

"How can someone even bother to mention 90,000 credit card numbers (which seem to be encrypted) when 2.4 million records that include bank account numbers as well as personal details have been stolen," said Amichai Shulman, chief technology officer of security company Imperva.

He continued: "Credit card numbers are replaced in a jiffy. Bank accounts are a mess to replace and no one would change their phone number or address as a consequence of a breach. So, basically, attackers now have 'immutable' information about millions of individuals."

Philip Lieberman, CEO of identity management software provider Lieberman Software, argued that the buck stops with the chief executive - which in the case of TalkTalk is Dido Harding, and Carphone Warehouse is Sebastian James.

"This is an excellent example of where the CEO of the company now needs to step in and evaluate whether they and their board of directors view as an acceptable loss.

"The CEO's role today must be as the commander-in-chief of cyber-defence, rather than simply complying with the minimal requirements of auditors. The CEO should consider a review of their existing security technologies and processes in place to minimise these losses in the future," said Lieberman.

As a result of the attacks, TalkTalk customers - as well as users of Carphone Warehouse's OneStopPhoneShope.com, e2save.com and mobiles.co.uk commerce sites - may need to change credit cards, bank accounts, as well as keeping a close eye on their credit records for evidence of identity theft.

TalkTalk itself advised customers to avail themselves of the free-trial monitoring services provided by Experian or Equifax - but did not offer to pay for a longer subscription for affected customers. In an email to Computing, though, TalkTalk claims it and Carphone Warehouse are negotiating with credit reference agencies to offer affected customers a longer subscription.

Mike Spykerman, vice president at security tools company OPSWAT, conjectured that TalkTalk was initially compromised via a phishing attack. "Data breaches often start with a spear-phishing attack that evades detection from regular spam filters and single anti-virus engines.

"By using multiple anti-virus engines, the possibility that a spear-phishing attack is detected is considerably higher. To avoid cyber attacks being successful, companies should prepare their defences by deploying several cyber security layers including device monitoring and management, scanning with multiple anti-malware engines, and advanced threat protection," said Spykerman.

Mark Bower, global director at HP Security Voltage, formerly Voltage Security before it was acquired by computer giant HP earlier this year, argued that all organisations holding customer data need to adopt the kind of security measures that major financial institutions use.

"It's a clear signal that contemporary data encryption and tokenisation for all sensitive fields, not disk- or column-level encryption for credit cards, is necessary to thwart advanced attacks that scrape sensitive data from memory, data in use, as well as storage and transmission," said Bower.

He added: "Disk encryption protects data at rest, but it's an all or nothing approach that leaves exploitable gaps: applications needing data have to decrypt it every time. Yet advanced attacks steal data in use and in motion.

"Another problem is that, while firms may focus on credit-card data to meet basic Payment Card Industry (PCI) compliance, attackers will steal any sensitive data like account data, contact information and so on as they can re-purpose it for theft. There are effective defences to this. Today's new-breed of encryption and tokenisation techniques can render data itself useless to attackers, yet functional to business needs.

"This technology, such as format-preserving encryption, is proven in leading banks, retailers and payment processors who are constantly bombarded and probed by attackers. By securing customer and card data from capture over the data's journey through stores, branches, databases and analytic systems, businesses can avoid unnecessary decryption required by older generation disk or database encryption techniques.

"Data can stay protected in use, at rest, and in motion, and stays secure even if stolen. Modern vetted and peer-reviewed data encryption is infeasible to break on any realistic basis. It's a win-win for business, as it can be retrofitted to existing systems without complications and business change. Attackers who steal useless data they can't monetize quickly move on to other targets."