Dixons Carphone breach should give GDPR selling a second wind

Dixons Carphone has led the industry in many ways showing it can be a leader in a cut-throat high street retail environment.

But its latest claim to fame has the firm becoming a first in a different sphere, having to admit a significant data breach just weeks after the GDPR rules came into force.

In the build up the the introduction of GDPR towards the end of May most of the channel realised that some customers would not be ready in time and a wait and see policy was being adopted. That strategy involved waiting for someone to have a breach and to see the response from those with the ability to hand out fines.

The bigger the fine the larger the stampede from those firms looking to cover their own backs and as a result potentially a second shot of pitching GDPR solutions for the channel.

Dixons has now given those keenly watching the market something to study with the retailer revealing that it suffered a breach that started last July that involved 5.9m payment cards and 1.2m personal data records.

Hackers had attempted to access the information but of the millions of cards targeted only 105,000, without chip and pin had been leaked.

"As part of a review of our systems and data, we have determined that there has been unauthorised access to certain data held by the company. We promptly launched an investigation, engaged leading cyber security experts and added extra security measures to our systems," stated Dixons Carphone chief executive Alex Baldock.

"We have taken action to close off this access and have no evidence it is continuing. We have no evidence to date of any fraudulent use of the data as result of these incidents," he added.

“As the first major data breach to hit headlines since GDPR was enforced last month, there will be many companies keeping a watchful eye over how this is handled. Under these new regulations, companies can be fined up to 4% of their annual turnover if they fail to protect their data, however, with this breach taking place pre-GDPR, it’ll be interesting to see what approach the ICO takes. Either way, it’s likely that Dixons Carphone will be hit with a hefty fine for lax security," said Ross Brewer, vp and md EMEA, LogRhythm.

“Businesses must ensure they have tools in placed that can quickly identify anomalous activity from the outset. Threat detection tools such as User and Entity Behaviour Analytics (UEBA) are intelligent enough to know what is legitimate behaviour on the network and what is not, allowing businesses to shut down unauthorised access before any data has been compromised. If Dixons Carphone had had this in place last year, they would have been able to nip this in the bud without any unwanted attention; instead they will become the poster boy for post-GDPR data breaches," he added.

The case is not totally straightforward because the breach started last summer, well before GDPR came into force, but it should still have an impact on the GDPR debate stated Andrew Bushby, UK director at Fidelis Cybersecurity.

“With this being the first major breach reported in the UK since the enforcement of GDPR, the timing is slightly awkward. It will be interesting to see how this is handled - particularly given the actual breach took place last year. Questions will no doubt be asked about the safeguarding measures around the data before the breach, and why so many personal records were put at risk in the first place. As such, I’m sure that this will attract more eyes than usual, as other organisations wait to see how it all pans out in this post-GDPR era," he said.

Brian Shea, Managing Director at QualiTest UK & EU, said that it was concerning that these sorts of breaches continued to hit the headlines.

“Cyber criminals appear to be finding it easier to access personal data and companies must now look at whether their defence software is doing its job properly.