Dixons Carphone data breach: Company admits attempted hack exposed details of 5.9 million bank cards

Currys PC World

Dixons Carphone, the parent company which owns Currys PC World, Carphone Warehouse and Dixons Travel stores, has admitted a huge data breach involving the personal details of more than 5.9 million customers.

The company said there had been an "attempt to compromise" 5.9 million cards in one of its processing systems last year, but only 105,000 cards without chip-and-pin protection (those issued outside of the EU) had been leaked. We say "only", but that's still a substantial amount of customer details put at risk.

Dixons Carphone data breach

The data accessed in respect of the 5.8 million protected cards contained "neither pin codes, card verification values (CVV) nor any authentication data" which could have been used to identify the cardholder or what they had purchased. Dixons Carphone didn't detail what information had been exposed for the other 105,000 cards, simply saying it had notified the revelant card companies, which in turn will "take the appropriate measures" to protect customers. The release didn't go into detail about what these measure are but it's likely to involve contacting customers directly, or cancelling their cards as a precaution. IT Pro has asked Dixons Carphone for more details.

Dixons Carphone is investigating the attempted hack and said it had already informed the Information Commissioner's Office (ICO), the Financial Conduct Authority as well as the police. It did add that there was "currently no evidence of any fraudulent use of the information."

An ICO spokesperson said: "An incident involving Dixons Carphone has been reported to us and we are liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers.

"Anyone concerned about lost data and how it may be used should follow the advice of Action Fraud."

Beyond the 5.9 million cards, 1.2 million data records including names, addresses and email addresses of customers were also exposed in the Dixons Carphone breach and the company is contacting those whose non-financial data was accessed to "inform them, to apologise, and to give them advice on any protective steps they should take". IT Pro has asked the company for more details about what is being advised and how these customers are being contacted.

The hacking attempt was made on a processing system specific to Currys PC World and Dixons Travel at some point last year. IT Pro has contacted Dixons Carphone for more specific details. Carphone Warehouse said it didn't have any evidence that its own systems had been compromised in this way but it is contacting anyone affected by the breach as a matter of caution.

"The protection of our data has to be at the heart of our business, and we've fallen short here," said Dixons Carphone chief executive Alex Baldock. "We've taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously."

"As part of a review of our systems and data, we have determined that there has been unauthorised access to certain data held by the company. We promptly launched an investigation, engaged leading cyber security experts and added extra security measures to our systems. We have taken action to close off this access and have no evidence it is continuing."

Chris Boyd, lead malware analyst at Malwarebytes, advised customers to beware of criminals trying to contact them to steal more of their data, saying: "Cancelling cards is always a pain, but the bigger issue is the personal data harvested by the criminals. The possibility of phishing attempts using this information is a good one, and people could be caught off guard if they can't remember buying something from Dixons Carphone in the first place. Treating all communications with suspicion for the next few months is probably a good idea, especially in situations where any form of login details are required."

Dixons Carphone data breach and GDPR

This data breach is the first major public leak to be announced since the introduction of GDPR in Europe.

Under these new, far-reaching regulations, companies can be fined up to a staggering 20 million, or 4% of global annual turnover (whichever is higher), if they are found to have failed to adhere to GDPR or suffer a data breach. In particular, a company must alert the authorities about a data breach within 72 hours of being made aware of it or face a fine of up to 10 million.

If Dixons Carphone has only just been made aware of the breach and has alerted the authorities in the specified timeframe, it won't be liable for this intial fine. Equally, if the breach occurred last year it will have happened before GDPR came into force on 25 May, suggesting the company will also avoid the other hefty GDPR fines. IT Pro has contacted the ICO for clarification.

Either way, the Dixons Carphone data breach will likely act as a testbed and many other firms will be looking to see how it is handled. The previous Data Protection Act 1998 capped financial penalties at 500,000 if firms were found to have breached the Data Protection Act 1998. Yahoo's UK branch, as an example, was handed a 250,000 fine by the ICO this week over a data breach in 2014 which saw hackers steal 500 million people's personal data.

The regulator slammed the company's failure to apply adequate protections against the theft, and said "the inadequacies found had been in place for a long period of time without being discovered or addressed".

Dixons Carphone subsidiary Carphone Warehouse holds the joint-record for a UK data protection fine, 400,000, issued for a 2015 data breach. At the time, the ICO said the retailer had failed to implement "basic, commonplace measures".

Picture: Shutterstock