Important data information issue 8th August 2015

1. What happened?

On 5 August we discovered that the IT systems of a division of Carphone Warehouse in the UK had been breached by a sophisticated cyber-attack. This division operates the website’s OneStopPhoneShop.com, e2save.com and Mobiles.co.uk, and provides a number of services to iD Mobile, TalkTalk Mobile, Talk Mobile, and to certain customers of Carphone Warehouse.

We took immediate action to secure these systems and launched an investigation with a leading cyber security firm to determine exactly what data was affected. We have also put in place additional security measures to prevent further attacks.

Our investigation has indicated that personal data which may include names, addresses, dates-of-birth, and bank details of up to 2.4 million customers, may have been accessed. Encrypted credit card data of up to 90,000 customers may also have been accessed. We and our partners are contacting all those customers who may have been affected, informing them of the breach and giving advice to reduce risk and minimise inconvenience. Currys PC World and the vast majority of Carphone Warehouse customer data is held on separate systems and has not been accessed during this incident.

2. Which sites were affected?

This division operates the websites OneStopPhoneShop.com, e2save.com, and Mobiles.co.uk, and provides a number of services to iD Mobile, TalkTalk Mobile, Talk Mobile, and to certain customers of Carphone Warehouse.

3. When was the breach discovered?

We discovered the breach on the afternoon of Wednesday 5 August, and have been working intensively to establish the extent of the breach.

4. Why has it taken so long for you to contact me?

The attack was sophisticated and affected a large volume of customers across multiple businesses. We are working intensively to identify those at risk and are contacting them individually to provide advice on actions they need to take.

5. How will I know if I have been affected by this attack?

We and our partners are contacting all those customers who may have been affected to inform them of the breach and to give them advice to reduce any risk and minimise inconvenience. We have have contacted customers via email, and where no email address was held, via text message or via post. If you don’t hear from us, your data hasn’t been affected by this attack.

6. What if I don’t have an email or my email address is incorrect, how will you contact me?

We have tracked any email bounce-backs and contacted those customers by text message. Any customers without email addresses that are affected have also being contacted by a text message. Where we have not been successful via email or text message, we are also following up via post.

7. Why have you chosen to text customers over another means of communication?

We committed to contacting all affected customers. Where we didn’t have any other means of contact, text was the only option.

8. Will you be contacting customers by post?

We started contacting customers by email on Saturday 8 August. We have tracked email bounce-backs and have contacted those customers by text message where possible. In the instances of us not holding a correct customer email address we have also attempted to make contact via SMS text message. There are a very small portion of customers who we have been unable to contact by email or text message and we have now sent letters to those customers’ postal addresses.

This is in addition to the information available to customers through in-store, online and call centre communications, as well as through our public announcement and social media. We have also co-ordinated with the banks to ensure that they are aware of those customers who may be affected and can take appropriate action.

9. Are there any customers for whom you haven't got email addresses, mobile numbers or postal addresses? What are you doing in those cases?

There are a very small portion of customers for whom we do not hold an email address, mobile number or a postal address.

We would have liked to have made contact with all customers directly, and have been very proactive in communicating publicly in relation to this incident. We have made information available to customers in-store, online and through our call centre communications, as well as through our public announcement and social media. We have also co-ordinated with the banks to ensure that they are aware of those customers who may be affected and can take appropriate action.

10. Why is TalkTalk mobile sending letters to customers? Are these in addition to previously announced customer?

No, these are not in addition to the previously announced customers. This is a second communication from TalkTalk Mobile, reiterating by post what they’ve already said in emails to customers.

11. What information was compromised?

Our investigation has indicated that personal data, which may include names, addresses, dates-of-birth, and bank details of up to 2.4 million customers, may have been accessed. Encrypted credit card data of up to 90,000 customers may also have been accessed. We and our partners are contacting all those customers who may have been affected to inform them of the breach and to give them advice to reduce risk and minimise inconvenience.

12. Has my credit card information been stolen?

Encrypted credit card data of up to 90,000 customers may also have been accessed. We and our partners are contacting all those customers who may have been affected to inform them of the breach and to give them advice to reduce risk and minimise inconvenience.

13. Is it safe to continue using your websites?

Yes, we want you to feel safe in all dealings with us. We have also put in place additional security measures to prevent further attacks.

14. Is buying through the CPW website secure? Have customers buying through this route been affected?

The Carphone Warehouse website and the vast majority of Carphone Warehouse customer data is held on a separate system. There is no evidence that this has been breached and customers can continue to use the CPW website securely. In addition, we have put in place additional security measures to prevent further attacks across all of our websites.

15. I am a customer of carphonewarehouse.com or Carphone Warehouse stores – am I affected?

The vast majority of Carphone Warehouse customers are not affected. We are contacting all customers via email or text message, if they are impacted, to give them advice in order to reduce any risk and minimise inconvenience.

16. I am not a customer of Carphone Warehouse, idmobile.co.uk, onestopphoneshop.co.uk, e2save.com or mobiles.co.uk. Why am I impacted?

Data may be in our system as a result of a number of different interactions with us - some of which may not have concluded in a transaction. These could include enquiries about mobile phones, network contracts, mobile phone insurance or other services, some of which are provided by us through third parties where they would be the brand name you dealt with at the time.

17. Are other brands impacted, Currys, PCWorld and Dixons Travel, KnowHow?

No. The customer data of these brands is kept separate from the businesses that have been affected by this incident.

18. How did this cyber attack happen?

This attack was very sophisticated and is part of the reality of the modern world. Our priority is reducing risk and inconvenience for customers and continuing to build ever stronger defenses.

19. Has the issue been resolved?

We took immediate action to secure these systems and launched an investigation with a leading cyber security firm to determine exactly what data was affected. We have also put in place additional security measures to prevent further attacks.

20. Does this mean I’m a victim of identity theft?

Someone having access to your personal information or bank account details does not necessarily mean you have been a victim of identity theft or that your information will be used to commit fraud. We recommend that you take the appropriate steps to protect yourself, such as closely reviewing account statements for suspicious activity.

21. What do you recommend I do to protect myself from identify theft and fraud?

To reduce the risk of fraudulent activity, we recommend that you consider taking the following steps:

• Notifying your bank and credit card company, so that they can monitor activity on your account
• Check for suspicious or unexpected online/account activity
• Be wary of anyone calling you and requesting personal information, bank details or passwords
• You can check your credit rating to make sure no one has applied for credit in your name. You can do this by visiting Experian or Equifax

22. You have contacted me to tell me my data has been breached, does this mean I will have fraudulent activity on my account?

We are contacting all customers who are affected by the data breach, however, this does not mean you have been a victim of fraud or identify theft. We recommend that you contact your bank and credit card company immediately, who will monitor activity on your accounts and be wary about giving access to any personal information. If you believe you have been a victim of fraud, you should contact your bank or credit card company. You can also get in touch with Action Fraud, the UK’s national fraud and internet crime reporting center, on 0300 123 2040.

23. What will ‘Action Fraud’ do to help me if I contact them?

By calling ‘Action Fraud’ on 0300 123 2040, you will be able discuss your situation with one of their specialist fraud advisers and get advice on how to protect yourself from possible fraud.

IIf you have been a victim of fraud, reporting it to ‘Action Fraud’ ensures that the correct crime reporting procedures are followed. ‘Action Fraud’ passes on all fraud cases to the National Fraud Intelligence Bureau (NFIB), which is overseen by the police force that leads on fraud for the UK – the City of London Police. Making a crime report to ‘Action Fraud’ also means that you will receive a police crime reference number. You can use your police crime reference number to update the information in your crime report.

24. Have you reported this intrusion to the relevant authorities?

Yes, as part of our investigation we have notified the Information Commissioners Office (ICO) and the police.

25. What are you doing to prevent this from happening again?

We took immediate action to secure these systems and launched an investigation with a leading cyber security firm to determine exactly which data was affected. We’ve also put in place additional security measures to prevent further attacks.

26. Will customers be held liable for fraudulent charges?

Card issuers publish their own policies regarding fraudulent charges. Generally, issuers do not hold customers responsible for fraudulent charges if they are reported in a timely manner. Please contact your bank for details on their policies.

27. I recently noticed suspicious activity on my credit card. Is that related to this incident?

If you think you have been a victim of fraud you should report it to Action Fraud, the UK’s national fraud and internet crime reporting center, on 0300 123 2040.

28. Should I cancel my credit or debit card?

To reduce the risk of fraudulent activity, we strongly advise you to notify your bank and Credit Card Company. We also recommend that you take the following steps:

• Check for suspicious or unexpected online or account activity
• Be wary of anyone calling asking for personal information, bank details or passwords
• You can check your credit rating to make sure no one has applied for credit in your name. You can do this by visiting Experian or Equifax

29. How can I check if my credit rating has been impacted by this attack?

You can check your credit rating to make sure no one has applied for credit in your name. You can do this by visiting Experian or Equifax

30. Why do I have to take these actions myself? Can’t you do it for me?

Due to data protection rules, we are unable to take these steps for individual customers. We regret any inconvenience this incident may have caused.

31. What steps have you taken to protect customers from fraud?

• We took immediate action to secure the systems affected and put in place additional security measures to prevent further attacks.
• We have notified the Information Commissioners Office (ICO) and the Police.
• We have contacted customers affected to give them advice.

32. Has my information already been sold or misused?

We have currently seen no evidence of this. We encourage our customers to review their account statements and immediately notify their credit and debit card issuer if they suspect fraud on their accounts.

33. Why was the data being held by you?

This was the information we collected and stored through the normal course of business, which involves credit checking in order to set up mobile phone contracts.

34. I have previously provided my personal email address. Has this information been stolen?

Because these records were taken from online transactions, the majority do include email address details.

35. I am not a current customer, why do you hold my details?

We hold details of previous customers and through our marketing we acquire additional information through online queries.

36. Will you be offering me compensation?

At this stage our priority is to inform those customers affected. The first thing any customer should do who has concerns about fraud is to contact their bank or credit card provider (who can stop fraudulent transactions).They can also contact Action Fraud, the national fraud reporting service.

37. I would like to speak to us directly – who should I contact?

If you would like to speak to us directly, please contact:

Mobiles.co.uk

www.mobiles.co.uk

Customer Service - 01509 615 474

e2save (inc. The Phonespot)

www.e2save.com

Customer Service - 01509 610 888

Onestopphoneshop

Customer Service - 01509 615 478

Carphone Warehouse

www.carphonewarehouse.com

Customer Service - 0370 111 6565