ICO to look at Dixons Carphone breach

The Information Commissioner's Office, which had the power to issue fines, will be looking at the Dixons Carphone data breach

The Information Commissioner's Office (ICO) is investigating the Dixons Carphone data breach, which may have affected up to 2.4m customers.

Dixons Carphone said that the encrypted credit card details of up to 90,000 customers might have been stolen, along with names, addresses, dates of birth and band details.

However, the retailer is now facing a huge backlash due to the length of time it took to go public with the breach. The hack was discovered on Wednesday May 5, but it didn’t let customers know until Saturday May 8.

The firm stressed that the vast majority of customers were not affected. The systems that were compromised belonged to the websites - OneStopPhoneShop.com, e2save.com and Mobiles.co.uk.

“We take the security of customer data extremely seriously, and we are very sorry people have been affected by this attack,” said Sebastian James, chief executive of Dixons Carphone. “We are, of course, informing anyone that may have been affected, and have put in place additional security measures.”

Dixons Carphone sent emails to all those potentially affected by the breach, but customers have been taking to social media and public forums to express their anger with the communications provider. Many felt that email attempted to shift the burden of responsibility back onto customers, asking them to cancel cards and check credit reports, which is a chargeable service (see full letter below).

A spokesman for the Information Commissioner’s Office said: “We have been made aware of an incident at Carphone Warehouse and are making enquiries.”

One of the factors the ICO might be looking at is the time it tool for the firm to go public with the news of the breach.

Communication with the customers affected by the breach has already started with them being warned about potential follow-up issues following last week's attack.

Some of the steps that users should take include checking for unexpected online or account activity, weatch out for calls trying to illicit personal information and to check credit agencies to see if anyone has applies for credit in their name.

Read more on Data Protection Services