Dixons Carphone reveals data breach affecting 5.9 million customers
Dixons Carphone has revealed a major breach of data involving unauthorised access to 5.9 million customers cards and 1.2 million personal records.
The consumer electronics retailer said it was investigating an attempt to compromise the cards in a processing system at Currys PC World and Dixons Travel, but said there was no evidence of fraud as a result of the incident.
In a second breach, personal data such as name, address or email addresses, have been accessed. Again, Dixons said there was no evidence that it had resulted in fraud.
Alex Baldock, the company’s new chief executive, apologised for the data breach and admitted the firm had failed its customers.
“We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here.
“We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.”
Baldock said the company had engaged cyber security experts to handle the matter and had added extra security measures to its systems.
The retailer will be writing over the coming days to those customers whose personal data was breached, “to inform them, to apologise, and to give them advice on any protective steps they should take”.
Of the 5.9 million cards that were accessed illegally, 5.8 million were chip and pin protected, and no pin codes, card verification values (CVV) or authentication data were accessed, meaning purchases could not be made.
However, about 105,000 payment cards from outside the EU and without chip and pin protection were accessed. The retailer said it had notified the banks concerned and they had not detected any fraudulent purchases on customer accounts.
Shares in Dixons Carphone fell 5.5% after the data breach was announced, as investors factored in a potential fine facing the firm.
The retailer said the data breach was discovered over the past week as part of a review of its systems and data. Although the breach occurred within the last year, it was before 25 May when the new European General Data Protection Regulation (GDPR) rules came into force.
As the data breach pre-dated GDPR, any financial penalty on Dixons Carphone would be imposed under the previous data protection act rules, where the maximum fine imposed would be £500,000.
Under the new rules, firms could face a maximum fine of €20m (£17.6m) or 4% of the company’s global turnover, whichever is the greater.
Alex Neill, a managing director at the consumer group Which?, said the security breach was a major concern.
“This massive breach will cause real worry to millions of customers and raises serious questions about how Dixons Carphone has been looking after customers’ data - so it is critical that the company moves quickly to ensure those affected get clear information about what has happened and what steps they should take to protect themselves.
“Anyone concerned they could be at risk of fraud should consider changing their online passwords, monitor bank and other online accounts and be wary of emails regarding the breach as scammers may try and take advantage of it.”
Dixons Carphone said the investigation into the cyber attack was ongoing and that the culprit or culprits had not been identified. The retailer has informed the relevant authorities, including the police, the Information Commissioner’s Office, and the Financial Conduct Authority.
A spokesman for the ICO said: “An incident involving Dixons Carphone has been reported to us and we are liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers.
“Anyone concerned about lost data and how it may be used should follow the advice of Action Fraud.”