About 2.4 million former and existing mobile phone users who took out contracts or bought handsets via Carphone Warehouse and its subsidiary brands are being encouraged to alert their bank about a potential data breach as soon as possible.
The warning comes after it emerged that Carphone Warehouse (which is owned by Dixons Carphone) discovered that personal details of up to 2.4 million customers have been accessed by hackers, while the encrypted data from 90,000 credit card holders may also have been accessed at the same time around two weeks ago.
Carphone Warehouse says the hack affects some customers who have either taken out a contract or bought a mobile phone online from the following websites, which it operates: Carphone Warehouse, OneStopPhoneShop.com, e2save.com and Mobiles.co.uk, iD Mobile and TalkTalk Mobile websites.
However, it's still investigating over what time period these purchases would have been made for customers to be affected by the hack.
It says customers who've potentially been affected, have received emails about the incident. It adds that the "vast majority" of Carphone Warehouse customers, as well as all Currys and PC World customers, which are also part of the Dixons Carphone brand, are unaffected by the security breach.
Data regulator, the Information Commissioner's Office (ICO), has been made aware of the incident and says it is "making inquiries". See our Stop Scams guide to protect yourself.
I'm affected, what should I do?
Those who've received an email from Carphone Warehouse are encouraged to do the following:
- Alert your bank and check your statements: Inform your bank that your information may have been compromised so it can monitor for any suspicious activity on your account. Also check your bank and card statements for unusual transactions. If you spot anything you don't recognise, contact your bank or card company immediately.
Financial Fraud UK (FFA), which represents card firms, says all banks have advanced fraud screening systems in place, which detect and stop suspicious activity on customers' accounts. It adds that if you are a victim of fraud, you'll be refunded by your bank.
- Watch out for phishing calls and emails: The hackers may already have some information about you so be wary of any calls, texts or emails out of the blue asking for personal or financial details. Your bank will never call you to ask for your four-digit PIN or your online banking password, or for you to transfer money to a new account for fraud reasons. If in doubt, just hang up or ignore the email or text.
- Check your credit rating to make sure no one has taken out loan and credit in your name. See our Credit Rating guide for how to do this. James Jones, head of consumer affairs at Experian, adds that customers should also close any online accounts that aren't in use as each account contains valuable personally-identifiable information, which could be used to commit fraud if it gets into the wrong hands.
- Report fraudulent activity to Action Fraud: Incidents of fraud should also be reported to Action Fraud – the police's central reporting point – for fraud either online or by calling 0300 123 2040. Although the police can't investigate every individual report, it allows it to build up intelligence about fraud.
To protect yourself from fraud you should also change the passwords on all your online accounts from time to time. Create unique passwords for each site you use and try to make it as strong as possible using a combination of upper and lower case letter, numbers and symbols. You should never use the same password twice.
'We are very sorry that people have been affected'
Sebastian James, group chief executive of Dixons Carphone, says: "We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems.
"We are, of course, informing anyone that may have been affected, and have put in place additional security measures."