Dixons Carphone ups data breach figure to 10 million

Almost two months after revealing a data breach that reportedly took place nearly a year before, Dixons Carphone has upped the estimate of affected personal data records from 1.2 million to 10 million.

“While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and there is no evidence that any fraud has resulted,” the company said in a statement.

In June, the electrical and telecommunications retailer and services company said it was investigating a cyber intrusion in one of the processing systems of Currys PC World and Dixons Travel stores in 2017.

In addition to accessing personal, non-financial records that included names, addresses and email addresses, the company said the cyber attackers had accessed 5.9 million payment card records.

However, the company said only approximately 105,000 non-EU issued payment cards without chip and pin protection had been compromised although no fraud had been detected.

Dixons Carphone said it had added security measures, engaged cyber security experts, informed the “relevant authorities” – including the ICO, the Financial Conduct Authority (FCA) and the police – and launched an investigation into the breach.

The company said it would contact all affected customers to apologise and advise them on how to protect themselves against fraud.

“As we indicated previously, we have taken action to close off this access and have no evidence it is continuing. We continue to make improvements and investments at pace to our security environment through enhanced controls, monitoring and testing,” the company said.

Dixons Carphone chief executive Alex Baldock said the investigation had enabled the company to build a “fuller understanding” of the incident.

“Again, we’re disappointed in having fallen short here, and very sorry for any distress we’ve caused our customers. I want to assure them that we remain fully committed to making their personal data safe with us,” he said.

After the incident was first reported, the National Cyber Security Centre (NCSC) urged UK business to improve data protection capabilities.

The NCSC also published guidance for customers of Dixons Carphone. “Anyone concerned about fraud or lost data should contact Action Fraud, their online fraud reporting tool [is available] any time of the day or night, or call 0300 123 2040,” the NCSC said.

The NCSC warns that attackers who have the stolen personal data may use it to approach customers and trick them into revealing further personal information to commit fraud.

News of the latest breach at the company emerged just five months after the Information Commissioner’s Office (ICO) fined its Carphone Warehouse subsidiary £400,000 for “rudimentary” security failures that allowed hackers to access the personal data of more than three million customers in 2015.

Responding to the breach update by Dixons Carphone, a spokesperson for the ICO said: “Our investigation into the incident is ongoing and we will take time to assess this new information.

“In the meantime, we would expect the company to alert all those affected in the UK as soon as possible and to take all steps necessary to reduce any potential harm to consumers.”