Hackers bombarded Carphone Warehouse with online traffic as a smokescreen while they stole the personal and banking details of 2.4 million people, according to sources with knowledge of the incident.
The retailer revealed at the weekend that its security had been breached in a “sophisticated” attack.
It is now thought that criminals used a cyber attack technique known as Distributed Denial of Service (DDoS) as a cover to help them infiltrate the retailer’s systems and perpetrate one of Britain’s biggest ever data thefts.
To mount a DDoS attack, a global network of hijacked computers, known as a botnet, is used to bombard the target computers with traffic, overloading them and potentially forcing them offline.
The ensuing technical problems can serve as a distraction for security staff, allowing hackers to exploit software vulnerabilities or stolen administrator credentials to break into systems and extract data undetected.
A source with knowledge of the attack on Carphone said its online retail systems had come under bombardment before the major data theft was noticed on Wednesday last week.
The millions affected are customers of, e2save.com and , as well as Carphone and its own mobile operator, iD Mobile. The systems broken into also held data for Talk Mobile and TalkTalk Mobile, the retailer said.
Victims were advised to ask their bank to be on the lookout for suspicious activity, although on Monday there were no verified reports of fraud using the stolen data, sources said.
Hackers who steal personal data often sell it in bulk on digital black markets to other criminals who seek to use it to commit fraud.
According to internet security experts, criminals are increasingly using DDoS attacks to disguise their intrusions.
In the most famous case, in 2011, Sony’s PlayStation Network, an online gaming service, was shut down for weeks after the personal and financial details of 77 million customers were stolen. The chief of the PlayStation division told the US Congress that a simultaneous bombardment of traffic against the network “may have made it more difficult to detect this intrusion quickly”.
Subsequent examples of DDoS smokescreens include a 2012 attack on a bank during which card date was stolen and $9m drained from accounts via cash machines around the world. A warning that online bombardment can be a “diversionary tactic” for fraudsters is now part of official cyber security advice to US banks.
Carphone Warehouse, which is contacting customers affected and co-operating with police and the Information Commissioner’s Office, declined to comment.