“Extremely disappointed” Dixons Carphone has revealed it was hit by a massive data breach, saying it has fallen short in terms of protection after perpetrators tried to compromise nearly six million cards. In addition, more than a million records containing non-financial personal data have also been accessed illegally.
“Our investigation is ongoing and currently indicates that there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores,” noted the specialist electrical and telecommunications retailer and services company in its announcement. “However, 5.8 million of these cards have chip and pin protection. The data accessed in respect of these cards contains neither pin codes, card verification values (CVV), nor any authentication data enabling cardholder identification or a purchase to be made.
“Approximately 105,000 non-EU issued payment cards which do not have chip and pin protection have been compromised. As a precaution we immediately notified the relevant card companies via our payment provider about all these cards so that they could take the appropriate measures to protect customers.”
The firm, also known for its Carphone Warehouse brand in the UK, said it has no evidence that the unauthorised data access is continuing nor that the information has been used to commit fraud. In addition, Dixons Carphone has notified the police, the Financial Conduct Authority (FCA), and the Information Commissioner's Office (ICO).
As for the 1.2 million personal data records, affected consumers are being contacted and given advice on what to do next as a matter of protection. Needless to say, the retailer is also reaching out in order to apologise.
“We are extremely disappointed and sorry for any upset this may cause,” said Dixons Carphone chief executive Alex Baldock. “The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.
“We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cybersecurity experts, added extra security measures to our systems, and will be communicating directly with those affected.”
Insurance industry reacts
Following the announcement, Beazley international data breach manager Raf Sanchez commended Dixons Carphone’s actions in response to the discovered hacking.
“This breach and the speed with which management have moved to contain it and to communicate their efforts not just to regulators but also to the public shows just how important it is to be prepared,” commented Sanchez. “It is almost impossible to prevent breaches but if organisations want to survive these events they have to have a strategy to react and manage these incidents.”
Sanchez also noted that many are not ready for the complexities of the new mandatory breach reporting regime under the European Union’s General Data Protection Regulation (GDPR).
“This breach is the first significant incident under the new GDPR regime and it will be interesting to see how the UK’s privacy regulator, the Information Commissioner, reacts,” he said. “The ICO has previously fined organisations that have demonstrated serious failings with respect to breaches in the past with Yahoo being fined £250,000 over a breach involving 500,000 UK customers and TalkTalk having been hit with a £400,000 fine after 150,000 customers’ details were accessed.”
For CNA Hardy cyber head David Legassick, “this is a clear example of plan beats no plan.”
Calling cyber threat a boardroom risk, Legassick explained: “In our view, if the boardroom takes it seriously, then it becomes embedded within the culture. If the leadership are all on the same page, then legal, HR, IT, management, and all business units are also on the same page with them and the organisation is much better enabled to withstand an attack.
“Events like this underscore how important it is we never stop learning – making sure the company can capture in detail how, when, where, and why an incident occurred so there is a feedback loop that ensures each threat makes the cyber defence stronger.”
Meanwhile Baldock offered assurances that Dixons Carphone is determined to tackle cybercrime.