Encryption News

Dixons Carphone breach compromises data of nearly 6 million customers

By 14th June 2018 April 19th, 2019 No Comments

The ICO confirmed that it is investigating the incident reported by Dixons Carphone relating to the breach of nearly 6 million customer’s data. The breach relates to two separate incidents, one the compromise of customers’ bank cards/payment details and the other the compromise of personal information of 1.2 million customers.

“An incident involving Dixons Carphone has been reported to us and we are liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers,” an ICO spokesperson said.

Dixon Carphone is the company behind PC World, Currys and Carphone Warehouse following a merger in 2014. Not too long ago Carphone Warehouse was fined £400,000 by the ICO for a data breach, but this time the Curry PC World and Travel stores systems were the points of entry.

Dixons Carphone has confirmed that hackers tried to gain access to one of the processing systems of Currys PC World and Dixons Travel stores. It realised the breach while reviewing its systems and data.

This latest breach could potentially be one of the largest data breaches to affect the UK. It is believed that hackers may have compromised 5.9 million credit and debit cards, however of those only 105,000 cards were without chip and pin protection. The other 5.8 million cards were chip and pin protected and no pin codes, CVV or authentication data were accessed. So, it’s believed that those cards could not be used for making purchases.

Additionally, 1.2 million personal data records including names, addresses and email addresses were compromised. Carphone Warehouse confirmed there is no evidence that the information had left their systems. Although as a precautionary measure they are contacting all affected customers.

It is early days with regards to the investigation and there are many unanswered questions. What we do know is that the incident took place in July 2017, but Dixons Carphone only became aware of the breach a week ago, disclosing the breach almost a year later.

Some are questioning whether there’s any connection between this latest breach and the 2015 Carphone Warehouse breach. The company claims that there is no connection.

The company has apologised for its failings. Alex Baldock, Dixon Carphone Chief Executive said, “The protection of our data has to be at the heart of our business, and we’ve fallen short here”.

“We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously,” Mr Baldock explained.

It’s claimed the breach occurred before the 25th May 2018, so before the enforcement of the new EU GDPR. If this is found to be correct it is likely that the old Data Protection Act will apply which could impose a maximum penalty of £500,000.

It’s staggering that even after being on the receiving end of a massive fine a couple of years prior for a breach in one of its other divisions that lessons have not been learnt and actions have not been taken to avoid a recurrence. This is careless and unacceptable behaviour. It seems that even some large organisations are just not doing enough to protect customers’ data and it’s not due to a lack of resources. It raises the question…what will it take for organisations to take the protection of customers’ data seriously?

 

ICO:

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/06/ico-statement-in-response-to-dixons-carphone-breach-announcement/

BBC News:

https://www.bbc.co.uk/news/business-44465331