GCHQ cy­ber­se­cu­rity ex­perts in­ves­ti­gate Dixons Car­phone data breach

The Guardian Australia - - Technology - An­gela Mon­aghan

A branch of GCHQ, Bri­tain’s in­tel­li­gence and se­cu­rity ser­vice, is in­ves­ti­gat­ing one of the UK’s big­gest data breaches at a sin­gle firm, in­volv­ing unau­tho­rised ac­cess to 5.9 mil­lion Dixons Car­phone cus­tomers’ cards.

The Na­tional Cy­ber Se­cu­rity Cen­tre said it was work­ing along­side the re­tailer and other agen­cies af­ter the at­tack, which also in­volved unau­tho­rised ac­cess to 1.2m per­sonal records of Dixons Car­phone cus­tomers.

“Any­one con­cerned about fraud or lost data should con­tact Ac­tion Fraud and we rec­om­mend that peo­ple are vig­i­lant against any sus­pi­cious ac­tiv­ity on their bank ac­counts,” the NCSC said.

Dixons Car­phone said it had iden­ti­fied the mas­sive data breach while it was re­view­ing its sys­tems and data. The con­sumer elec­tron­ics firm said there was an at­tempt to com­pro­mise the cards in a pro­cess­ing sys­tem at Cur­rys PC World and Dixons Travel, but said there was no ev­i­dence of fraud as a re­sult of the in­ci­dent.

In a sec­ond breach, per­sonal data such as names, ad­dresses or email ad­dresses have been ac­cessed. Again, Dixons said there was no ev­i­dence that it had re­sulted in fraud.

Alex Bal­dock, its chief ex­ec­u­tive, apol­o­gised for the data breach and ad­mit­ted the com­pany had failed its cus­tomers.

“We are ex­tremely dis­ap­pointed and sorry for any up­set this may cause. The pro­tec­tion of our data has to be at the heart of our busi­ness and we’ve fallen short here.

“We’ve taken ac­tion to close off this unau­tho­rised ac­cess and though we have cur­rently no ev­i­dence of fraud as a re­sult of these in­ci­dents, we are tak­ing this ex­tremely se­ri­ously.”

Bal­dock said the com­pany had en­gaged cy­ber­se­cu­rity ex­perts to han­dle the mat­ter and had added ex­tra se­cu­rity mea­sures to its sys­tems.

The re­tailer will be writ­ing over the com­ing days to those cus­tomers whose per­sonal data was breached, “to in­form them, to apol­o­gise, and to give them ad­vice on any pro­tec­tive steps they should take”.

Of the 5.9m cards that were ac­cessed il­le­gally, 5.8m were chip and pin pro­tected, and no pin codes, card ver­i­fi­ca­tion val­ues (CVV) or au­then­ti­ca­tion data were ac­cessed, mean­ing pur­chases could not be made.

How­ever, about 105,000 pay­ment cards from out­side the EU and with­out chip and pin pro­tec­tion were ac­cessed. The re­tailer said it had no­ti­fied the banks con­cerned and they had not de­tected any fraud­u­lent pur­chases on cus­tomer ac­counts.

Shares in Dixons Car­phone fell as much as 6% at one point on Wednesday af­ter the data breach was an­nounced, as in­vestors fac­tored in a po­ten­tially steep fine for the com­pany, as well as po­ten­tial dam­age to the firm’s rep­u­ta­tion.

The re­tailer said that while the data breach was only dis­cov­ered over the past week, it oc­curred within the last year, be­fore 25 May when the new Eu­ro­pean Gen­eral Data Pro­tec­tion Reg­u­la­tion (GDPR) rules came into force.

Un­der the pre­vi­ous Data Pro­tec­tion Act rules, the max­i­mum fine im­posed would be £500,000.

Un­der the GDPR rules, firms could face a max­i­mum of €20m (£17.6m) or 4% of global turnover, which­ever is the greater.

The in­de­pen­dent reg­u­la­tor, the In­for­ma­tion Com­mis­sioner’s Of­fice, said it was in­ves­ti­gat­ing the breach along­side the NCSC and the Fi­nan­cial Con­duct Au­thor­ity.

A spokesman for the ICO said the in­ves­ti­ga­tion was at an early stage. He added: “We will look at when the in­ci­dent hap­pened and when it was dis­cov­ered as part of our work, and this will in­form whether it is dealt with un­der the 1998 or 2018 Data Pro­tec­tion Acts.”

Alex Neill, a man­ag­ing di­rec­tor at the con­sumer group Which?, said the se­cu­rity breach was a ma­jor con­cern.

“This mas­sive breach will cause real worry to mil­lions of cus­tomers and raises se­ri­ous ques­tions about how Dixons Car­phone has been look­ing af­ter cus­tomers’ data. It is crit­i­cal the com­pany moves quickly to en­sure those af­fected get clear in­for­ma­tion about what has hap­pened and what steps they should take to pro­tect them­selves.

“Any­one con­cerned they could be at risk of fraud should con­sider chang­ing their on­line pass­words, mon­i­tor bank and other on­line ac­counts and be wary of emails re­gard­ing the breach as scam­mers may try and take ad­van­tage of it.”

Dixons Car­phone said its in­ves­ti­ga­tion into the cy­ber-at­tack had yet to iden­tify the cul­prit or cul­prits. The re­tailer has in­formed the po­lice and other rel­e­vant au­thor­i­ties.

Pho­to­graph: Nick Ansell/PA

Shares in Dixons Car­phone fell as much as 6% af­ter it an­nounced an at­tempt had been made to com­pro­mise the cards in a pro­cess­ing sys­tem.

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.