News / Dixons Carphone suffers massive breach; hackers steal 5.9mn payment card details
14 June 2018
Dixons Carphone recently announced that it suffered a massive data breach that resulted in the compromise of 105,000 non-EU issued payment cards which did not have chip and pin protection in place.
Hackers behind the operation also stole details of as many as 5.8 million other payment cards. However, according to Dixons Carphone, such payment cards had chip and pin protection and hackers were not able to access pin codes, CVV numbers, or any other information required to make a purchase.
Millions of customers exposed again
In a press release, the company added that these payment card details were accessed by hackers after they managed to hack into one of the processing systems of Currys PC World and Dixons Travel stores. The hackers also managed to get their hands on 1.2m records containing non-financial personal data, such as name, address or email address of customers.
“We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously,” said Alex Baldock, chief executive of Dixons Carphone.
“We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected. Cyber crime is a continual battle for business today and we are determined to tackle this fast-changing challenge,” he added.
This isn’t the first time that Carphone Warehouse has suffered a major data breach impacting millions of customers. In 2015, a division of Carphone Warehouse that operated websites such as OneStopPhoneShop.com, e2save.com and Mobiles.co.uk and provided services to iD Mobile, TalkTalk Mobile, Talk Mobile and some Carphone Warehouse customers suffered a cyber attack that resulted in the loss of encrypted credit card information of up to 90,000 people, as well as personal details of 2.4 million people.
Carphone Warehouse was eventually fined £400,000 by the Information Commissioner’s Office for failing to prevent unauthorised access to the personal data of over three million customers and 1,000 employees.
“A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks. Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures,” the ICO noted.
Will the ICO apply GDPR on Dixons Carphone?
Dixons Carphone has informed the ICO and other relevant law enforcement authorities about the fresh breach, following which the ICO has issued the following statement:
“An incident involving Dixons Carphone has been reported to us and we are liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers. It is early in the investigation. We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts.”
“This breach shows how difficult it can be to get a breach under control. Dixons Carphone has been fined for security incidents in the past and either the clean-up wasn’t thorough enough, or there remained holes in their security which haven’t been fixed. Either way, the outcome is the same, repeat breaches,” said Dr Guy Bunker, SVP of Products at Clearswift.
“When it comes to fraud, it is difficult to prove whether this is the source or not and the impact of losing this data can have a long term impact. While a credit card can be easily cancelled and replaced, addresses and email addresses will remain unchanged for days, weeks, months, years.
“Email addresses when coupled with other personal information like a name and address is fodder for phishing. As with any breach made public, phishing scams will run riot asking people whether they were customers and to register information, etc. The advice here is to watch out for such emails and ignore them, if you are concerned then call a known number, not necessarily one you get through email.”
Dr Bunker added that aside from reputational damage, Dixons Carphone may also suffer a huge iimpact from GDPR enforcements as it could be directed to compensate those who have had their sensitive information leaked. If the ICO decides to invoke the GDPR, Dixons Carphone may have a fine of up to 4% of their global annual turnover.
“For a company this size, this could be in the millions and has the potential to impact the future profitability of the organisation,” he added.