Hackers steal the details of 7m Dixons customers
ONE of the worst British cyber attacks was only discovered after the hackers had been inside the system for almost a year.
Unbeknown to electronics giant Dixons Carphone, hackers were able to steal the bank details of 5.9million payment cards and the personal data records of a further 1.2million.
The hack was revealed after new chief executive Alex Baldock – who has been at the helm just ten weeks – ordered an urgent review into the firm’s online safety. Weeks in, he discovered hackers had been inside its systems since July last year.
Yesterday, the retailer reassured customers that 5.8million payment cards were protected by chip and pin. Around 105,000 non-EU cards without this protection were compromised.
The timing of the hack means Dixons is likely to avoid a fine of almost £20million. Because it happened last year, the firm will probably fall under old data laws,
rather than the European General Data Protection Regulation rules that came into force on May 25.
Under the new laws, firms can be fined up to £17million for a significant data breach.
But the Information Commissioner’s Office (ICO) warned Dixons could still face a multi-millionpound fine if it emerges it learned of the hack before they made it public.
A spokesman said: ‘We will look at when the incident happened and when it was discovered as part of our work – this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts.’
Yesterday, Mr Baldock told the Mail: ‘I haven’t been at the business for very long. But one of the early things I did do is to kick the tyres in a number of areas.
‘That included launching a review of our systems and our data.
‘As part of that review we determined that this breach had occurred. Even though the breach itself dates back to July last year we have got clarity on it in the past week.
‘We are coming out early, very early, in the process.’
The sheer number of people affected makes it the largest UK data breach to date involving financial information.
By comparison, when payday lender Wonga was hacked last year the bank details of 245,000 customers were exposed.
Solicitors said it could see Dixons shell out vast sums in compensation to customers who face being targeted by scammers.
Sean Humber, of Leigh Day, said: This is a huge data breach made all the more serious because customers’ financial information has been hacked.
‘Those affected are likely to have claims for compensation not only for any financial losses that they may have suffered but also for the anxiety and distress caused by the breach.’
Mr Baldock described the hack as ‘a sophisticated attack’ using ‘advanced malware’.
In a grovelling apology, he said: ‘It is extraordinarily disappointing and I am extremely sorry and I am unhappy we let… our customers down.’
Asked about the prospect of hefty payouts, Mr Baldock said it was ‘too early to speculate’ but admitted customers ‘have every right to expect better from us’.
The scandal comes after Carphone Warehouse, now owned by Dixons Carphone, was fined £400,000 by the ICO in January following a hack hitting more than three million customers in 2015.
For the past 11 months, hackers have been able to access personal data, including addresses and phone numbers. Dixons said that the hack occurred in one of the
‘Financial losses’
processing systems of Currys PC World and Dixons Travel stores.
It said the data accessed did not contain pin codes, card verification values or any authentication data allowing cardholder identification or a purchase to be made. It does not believe the data left the group’s systems, but is advising those affected on protective steps they should take. It said card companies had been notified and there was no evidence of card fraud.
But experts warned the data could be sold on by the hackers to other parties – who could continue to abuse it many months down the line.
Tony Pepper, chief executive officer of data privacy and risk management company Egress, said: ‘The reality is that identify theft is a global market and this information almost certainly could be sold on. The difficulty is it’s a sleeping giant. It might not affect you today or tomorrow.
‘Consumers still share identities across platforms and across multiple systems.’