igor - Fotolia
The National Crime Agency (NCA) is leading the UK law enforcement response to the cyber intrusion at retailer and services company Dixons Carphone and an attempt to compromise 5.9 million payment cards.
The company revealed that 1.2m records containing non-financial personal data – such as name, address or email address – had also been compromised in a breach of one of the processing systems of Currys PC World and Dixons Travel stores.
However, in an attempt to downplay the severity of what could be one of the most significant data breaches in the UK, the company said only 105,000 non-EU issued payment cards affected did not have chip and pin protection.
Dixons Carphone also said there was no evidence that the information had been used to commit fraud. “We are contacting those whose non-financial personal data was accessed to inform them, apologise and to give them advice on any protective steps they should take,” the company said.
Admitting that the company had “fallen short” in protecting the data, Dixons Carphone chief executive Alex Baldock said the company is “determined to put this right”, adding that cyber crime is “a continual battle” for business today. “We are determined to tackle this fast-changing challenge,” he said.
The company’s latest data protection woes come just five months after the Information Commissioner’s Office (ICO) fined its Carphone Warehouse subsidiary £400,000 for “rudimentary” security failures that allowed hackers to access the personal data of more than three million customers in 2015.
The incident could be the first significant data breach to be investigated under new UK data protection laws aligned with the EU’s General Data Protection Regulation (GDPR). The outcome of the ICO’s investigation and subsequent action will be keenly watched, especially if the breach is deemed to have taken place after the GDPR compliance deadline of 25 May 2018.
In a statement, the ICO said: “It is early in the investigation. We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Act.”
According to the Telegraph, Dixons Carphone took nearly a year to discover the data breach despite promising the ICO it had bolstered its IT systems after the 2015 breach.
“Specialist officers from the NCA’s National Cyber Crime Unit [NCCU] are working with the company to secure evidence,” he said, adding that the complexity of these enquiries means that this investigation will take time.
The NCSC is urging business to take action to ensure that their online security is as robust as possible by following guidance on protecting bulk personal data from cyber attack.
The NCSC has also published guidance for customers of Dixons Carphone. “Anyone concerned about fraud or lost data should contact Action Fraud. Action Fraud’s online fraud reporting tool any time of the day or night, or call 0300 123 2040,” the NCSC said.
The NCSC warns that attackers who have the stolen personal data may use it to approach customers and trick them into revealing further personal information to commit fraud.
The NCSC said businesses should report significant cyber incidents to the NCSC. “If the incident is likely to have a national impact then we will seek to provide support, subject to resource constraints. National impact includes harm to national security, the economy, public confidence, or public health and safety.
“We would also welcome notification of incidents ‘for information’ which you feel may be of interest – for example, incidents which may contribute to our understanding of adversary activity, inform the guidance we provide, or help other organisations,” the NCSC said.
Read more about business collaboration with law enforcement
Speaking in a panel debate at Infosecurity Europe 2018 in London, Ben Russell, head of threat response at the NCCU, said: “Cyber crime reporting has certainly become a lot easier in the past 18 months, and the reality is typically very different from the perception of what will happen after a cyber crime is reported.
“Many businesses are concerned that we will come in and shut down business operations or that we will make the investigation public without their consent, but that is not at all what happens.”
Russell added that under section 7 under the Crime & Courts Act, organisations can share information confidentially without having to trigger a formal crime report.
The panel agreed that by gathering data about cyber crime, law enforcement organisations can get a better picture of the nature and scale of what is really happening, in order to allocate budget and resources appropriately and enable more arrests and effective disruptive action.
By reporting cyber crime, the panel said organisations can, in turn, benefit from the expertise in law enforcement organisations on how to respond to, and mitigate, the various kinds of cyber attack.
According to James Clegg, vice-president for Europe at FireMon, the latest Dixons Carphone breach could be a landmark incident in the UK retail sector, just as the Target breach was in the US.
“If you’re a retailer in the wake of GDPR, prioritising cyber security after the incident is not the right approach. Retailers have a duty of care to consumers – who entrust personal and card data to them when buying their products.
“Any company can fall foul of a data breach. Hackers want personal details to sell on to the dark web, or for future phishing attacks. They’re trying their luck all the time. Cyber security policies need to be a top boardroom priority, otherwise you could see your company in the middle of a crisis that it can’t come back from.
“It will be very interesting to see how the ICO reacts to this, considering it’s fined Carphone Warehouse before. We are still unsure about how the hackers went about their attack at this early stage, but that will prove critical in determining how the regulator should act,” he said.