Cyber Incident Victim: Carpetright

On April 16, 2024, Carpetright experienced a cyber attack targeting its Purfleet, Essex headquarters. Hackers deployed malware to gain unauthorized access to the company’s network, prompting an abrupt shutdown of internal systems to contain the breach. The incident disrupted hundreds of customer orders and forced the company to take its phone helplines offline, leaving callers with a recorded message requesting patience while systems were restored. Staff networks were also disabled, including portals for booking time off and accessing payslips. Carpetright management emailed all employees on April 17 to confirm the attack was caused by a malicious virus, emphasizing that the threat was isolated before customer or employee data could be exfiltrated. The company’s immediate containment strategy focused on preventing lateral movement within the network, particularly to protect sensitive data repositories.

The attack caused sustained operational disruptions, with phone lines remaining non-functional for at least two days post-incident. Carpetright’s public statement acknowledged the inconvenience to customers but asserted no evidence of compromised personal or colleague data. Recovery efforts centered on testing and resetting affected systems while investigations continued. The incident highlighted broader cybersecurity challenges faced by UK businesses, with a recent government survey indicating a surge in attacks—50% of firms reported breaches in the preceding year, up from 32%. Carpetright’s response aligned with standard incident containment protocols, prioritizing system isolation over maintaining partial services during forensic analysis. No further details about the attackers’ identity, motives, or specific malware were disclosed publicly during the initial response phase.