Dixons Carphone data breach: Company admits ten million customers were affected
Dixons Carphone, the parent company which owns Currys PC World, Carphone Warehouse and Dixons Travel stores, has admitted a huge data breach that took place last year involved ten million customers. The revised figure is almost tenfold what the company initially believed the statistic to be, with the original estimate billed at 1.2 million customers.
Investigations have been ongoing since the hack was discoverd in June, with hackers reportedly getting access to 5.9 million payment card records. However, it is thought that nearly all of these 5.9 million were protected by the trusty chip and pin system; the company pitted it as an “attempt to compromise” 5.9 million cards, but only 105,000 cards without chip-and-pin protection (those issued outside of the EU) had been leaked. We say “only”, but that’s still a substantial amount of customer details put at risk.
In the meantime, Dixons has said it is “very sorry for any distress” caused to customers. The firm is said to be working on its cybersecurity measures, with Dixons Carphone chief Alex Baldock telling the BBC, “Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right.”
“That’s included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today,” Baldock explained. “As a precaution, we’re now also contacting all our customers to apologise and advise on the steps they can take to protect themselves.” No timescale was given as to when and in what format customers would be contacted.
Dixons Carphone data breach
The data accessed in respect of the 5.9 million protected cards contained “neither pin codes, card verification values (CVV) nor any authentication data” which could have been used to identify the cardholder or what they had purchased. Dixons Carphone didn’t detail what information had been exposed for the other 105,000 cards, simply saying it had notified the revelant card companies, which in turn will “take the appropriate measures” to protect customers. The release didn’t go into detail about what these measure are but it’s likely to involve contacting customers directly, or cancelling their cards as a precaution. Alphr has asked Dixons Carphone for more details.
Dixons Carphone is investigating the attempted hack and said it had already informed the Information Commissioner’s Office, the Financial Conduct Authority as well as the police. It did add that there was “currently no evidence of any fraudulent use of the information.”
Beyond the 5.9 million cards, 1.2 million data records including names, addresses and email addresses of customers were also exposed in the Dixons Carphone breach and the company is contacting those whose non-financial data was accessed to “inform them, to apologise, and to give them advice on any protective steps they should take”. Alphr has asked the company for more details about what is being advised and how these customers are being contacted.
The hacking attempt was made on a processing system specific to Currys PC World and Dixons Travel at some point last year. Alphr has contacted Dixons Carphone for more specific details. Carphone Warehouse said it didn’t have any evidence that its own systems had been compromised in this way but it is contacting anyone affected by the breach as a matter of caution.
“The protection of our data has to be at the heart of our business, and we’ve fallen short here,” said Dixons Carphone chief executive Alex Baldock. “We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.”
“As part of a review of our systems and data, we have determined that there has been unauthorised access to certain data held by the company. We promptly launched an investigation, engaged leading cyber security experts and added extra security measures to our systems. We have taken action to close off this access and have no evidence it is continuing.”
Yet, Robert Wassall, data protection lawyer and head of legal services at ThinkMarble is not convinced, telling Alphr: “It’s all very well saying that customers financial details are not at risk, or have not been fraudulently used, but they’re missing the point somewhat. If their attitude is ‘don’t worry because your financial details haven’t been compromised’, that’s a reflection of the wrong attitude towards data protection.
“The fact that this breach has only just been identified through a routine security review can be viewed from two sides. Yes, it’s great that this breach was identified as it proves that the review process and scanning for vulnerabilities works. On the other hand, the breach began in July 2017, why wasn’t it identified sooner? How often is security scanning done, given that it has taken almost a year to be found?”
Dixons Carphone data breach and GDPR
This data breach is the first major public leak to be announced since the introduction of GDPR in Europe.
Under these new, far-reaching regulations, companies can be fined up to a staggering €20 million, or 4% of global annual turnover (whichever is higher), if they are found to have failed to adhere to GDPR or suffer a data breach. In particular, a company must alert the authorities about a data breach within 72 hours of being made aware of it or face a fine of €10 million.
If Dixons Carphone has only just been made aware of the breach and has alerted the authorities in the specified timeframe, it won’t be liable for this intial fine. Equally, if the breach occurred last year it will have happened before GDPR came into force on 25 May, suggesting the company will also avoid the other hefty GDPR fines. Alphr has contacted the ICO for clarification but in an official statement, the regulator said: ““An incident involving Dixons Carphone has been reported to us and we are liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers. Anyone concerned about lost data and how it may be used should follow the advice of Action Fraud.”
READ NEXT: What is GDPR?
Either way, the Dixons Carphone data breach will likely act as a testbed and many other firms will be looking to see how it is handled. The previous rules capped financial penalties at £500,000 if firms were found to have breached the Data Protection Act 1998. Yahoo’s UK branch, as an example, was handed a £250,000 fine by the Information Commissioner’s Office this week over a data breach in 2014 which saw hackers steal 500 million people’s personal data.
The regulator slammed the company’s failure to apply adequate protections against the theft, and said “the inadequacies found had been in place for a long period of time without being discovered or addressed”.