alphaspirit - Fotolia

Dixons Carphone admits 'falling short' on data protection

Dixons Carphone has warned that millions of credit card and personal data records may have been compromised in a cyber breach

Electrical and telecommunications retailer and services company Dixons Carphone is investigating a cyber intrusion at the company and an attempt to compromise 5.9 million payment cards.

The intrusion was detected in one of the processing systems of Currys PC World and Dixons Travel stores, and also involved more than a million personal data records.

The company’s latest data protection woes come just five months after the Information Commissioner’s Office (ICO) fined its Carphone Warehouse subsidiary £400,000 for “rudimentary” security failures that allowed hackers to access the personal data of more than three million customers in 2015.

The company said in a statement it has added extra security measures and engaged cyber security experts after discovering there has been unauthorised access to personal and financial data.

“We have taken action to close off this access and have no evidence it is continuing,” the company said, adding that there is no evidence to date of any fraudulent use of the data.

Although 5.9 million cards were potentially affected, the company said 5.8 million have chip and pin protection.

“The data accessed in respect of these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made,” the company said.

Read more about GDPR

This means approximately 105,000 non-EU issued payment cards which do not have chip and pin protection have been compromised.

“As a precaution, we immediately notified the relevant card companies via our payment provider about all these cards so they could take the appropriate measures to protect customers,” the company said, reiterating that there is no evidence of any fraud on these cards as a result of this incident.

In addition to payment card data, the company said 1.2m records containing non-financial personal data, such as name, address or email address, have been accessed.

“We have no evidence that this information has left our systems or resulted in any fraud at this stage,” the company said. “We are contacting those whose non-financial personal data was accessed to inform them, apologise and to give them advice on any protective steps they should take.”

Dixons Carphone said it has informed the “relevant authorities”, including the ICO, the Financial Conduct Authority (FCA) and the police.

The ICO said it is liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers. “Anyone concerned about lost data and how it may be used should follow the advice of Action Fraud,” the ICO said in a statement.

News of the breach comes just days after the company’s chief information security officer, Paul Midian, told attendees of Infosecurity Europe 2018 in London that the General Data Protection Regulation (GDPR) will not only increase the number of cyber incidents reported, but also help drive consistency in the common understanding of cyber risks and threats.

Read more about business collaboration with law enforcement

He was taking part in a panel discussion on the collaboration between business, law enforcement and government in fighting cyber crime. The panel agreed businesses had a vital role to play, including reporting all cyber crime incidents to help build a clearer picture of cyber criminal activity.

“We are extremely disappointed and sorry for any upset this may cause,” said Dixons Carphone chief executive Alex Baldock. “The protection of our data has to be at the heart of our business, and we’ve fallen short here.

“We’ve taken action to close off this unauthorised access, and though we currently have no evidence of fraud as a result of these incidents, we are taking this extremely seriously,” he said.

Baldock said the company is “determined to put this right” adding that cyber crime is “a continual battle” for business today. “We are determined to tackle this fast-changing challenge,” he said.

Underlining the potential impact of data breaches on a business, Dixons Carphone shares fell 6% in early London trade following the news, according to the Financial Times.

Answers not imminent

Tony Pepper, CEO of privacy and risk management firm Egress, said it will be a while before the public is given any insight into how someone got access to such a vast amount of information and exactly how many people are affected.

“It seems likely it’s going to be one of the bigger breaches we’ve seen,” he said. “However, at this early stage, Dixons Carphone appear to be taking a proactive approach to this breach – contacting affected data subjects, bringing in experts and adding extra security measures.

“What is interesting about this case is it will be one of the first to fall under the General Data Protection Regulation (GDPR),” said Pepper.

“Under these new laws, companies need to be able to report quickly and effectively on breaches, and the ICO has the right to hand out much larger fines than under the Data Protection Act.

“There was a lot of speculation in the run-up to GDPR around the increase in fines and whether or not the ICO would issue heavy punitive penalties, so it’s likely there are going to be a lot of eyes on this case,” he said.

Read more on Privacy and data protection

Data Center
Data Management