Dixons Carphone, the retail chain responsible for the Dixons Travel, Currys, Carphone Warehouse and PC World shops, has admitted a security breach in which card details of up to 5.9 million people were spilled.
In a separate security breach, 1.2 million general user data files, which included names, email addresses and postal addresses, were also stolen. Both security breaches took place last year and Dixons Carphone claims that it has seen no evidence of fraudulent activity arising from the security breaches.
According to the statement published by the retailer this morning, 5.8 million of the 5.9 million card details that the company was holding were encrypted with chip-and-pin.
“The data accessed in respect of these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made,” it said.
However, around 105,000 non-EU issued payment cards without chip-and-pin protection – presumably, cards belonging predominantly to US travellers purchasing goods in Dixons Travel stores at UK airports – have been compromised, the company warned.
It claims to have notified the payment providers so that “appropriate measures” could be taken.
The breach could make Dixons Carphone the first big name to be investigated by the Information Commissioner’s Office (ICO) under the new General Data Protection Regulation (GDPR), which came into force on 25 May this year.
While the Information Commissioner, Elizabeth Denham, has indicated that she would not be coming down hard on breaches of GDPR from day one, the length of time it took Dixons Carphone to detect the breach and notify customers means that the ICO is unlikely to be inclined to let the company off too lightly.
Naturally, Dixons Carphone CEO Alex Baldock, who was only appointed in January, was “extremely disappointed and sorry for any upset this may cause”.
He continued: “The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.
“We are determined to put this right and are taking steps to do so. We promptly launched an investigation, engaged leading cybersecurity experts, added extra security measures to our systems and will be communicating directly with those affected.
“Cybercrime is a continual battle for business today and we are determined to tackle this fast-changing challenge.”
Security software and services companies were quick off the mark with their hot takes on the breach.
“With this being the first major breach reported in the UK since the enforcement of GDPR, the timing is slightly awkward. It will be interesting to see how this is handled – particularly given the actual breach took place last year.
“Questions will no doubt be asked about the safeguarding measures around the data before the breach, and why so many personal records were put at risk in the first place,” proffered Andrew Bushby, UK director at Fidelis Cybersecurity.
Eyal Benishti, CEO and founder of Ironscales, warned consumers to be wary about communications purporting to come from Dixons Carphone.
“Things to look out for will be messages purporting to be from Dixons Carphone offering free credit monitoring services by clicking links which instead will give away even more personal information to the fraudsters,” said Benishti.
He continued: “As payment card data has been affected, we might even see criminals trying to spoof users’ banks in a bid to get users to hand disclose the three CVV numbers from the back of cards…
“Messages might encourage them to apply for a new card or even persuade them to download a malicious program in the guise of monitoring software purported to help protect them.”