Hack­ers steal the de­tails of 6mil­lion Dixons cus­tomers

Daily Mail - - News - To­day’s dif­fi­culty rat­ing By Alex Brum­mer and Emily Kent Smith Ad­di­tional re­port­ing by Vic­to­ria Bischoff and Georgia Ed­kins

ONE of the worst Bri­tish cy­ber at­tacks was only dis­cov­ered af­ter the hack­ers had been in­side the sys­tem for al­most a year.

Un­be­known to elec­tron­ics gi­ant Dixons Car­phone, hack­ers were able to steal the bank de­tails of 5.9mil­lion pay­ment cards and the per­sonal data records of a fur­ther 1.2mil­lion.

The hack was re­vealed af­ter new chief ex­ec­u­tive Alex Bal­dock – who has been at the helm just ten weeks – or­dered an ur­gent re­view into the firm’s on­line safety. Weeks in, he dis­cov­ered hack­ers had been in­side its sys­tems since July last year.

Yes­ter­day the re­tailer re­as­sured cus­tomers that 5.8mil­lion pay­ment cards were pro­tected by chip and pin. Around 105,000 non-EU cards with­out this pro­tec­tion were com­pro­mised.

The tim­ing of the hack means Dixons is likely to avoid a fine of al­most £20mil­lion. Be­cause it hap­pened last year, the firm is likely to fall un­der old data laws rather than the Euro­pean Gen­eral Data Pro­tec­tion Reg­u­la­tion rules that came into force on May 25.

Un­der the new laws, firms can be fined up to £17mil­lion for a sig­nif­i­cant data breach.

But the In­for­ma­tion Com­mis­sioner’s Of­fice warned Dixons could still face a mul­ti­mil­lion pound fine if it emerges it learned of the hack be­fore they made it pub­lic. A spokesman said: ‘We will look at when the in­ci­dent hap­pened and when it was dis­cov­ered ... this will in­form whether it is dealt with un­der the 1998 or 2018 Data Pro­tec­tion Acts.’ Yes­ter­day Mr Bal­dock told the Mail: ‘One of the early things I did is ... launch a re­view of our sys­tems and our data. As part of that re­view we de­ter­mined that this breach had oc­curred. Even though the breach it­self dates back to July last year we have got clar­ity on it in the past week.’

‘We are com­ing out early, very early, in the process.’

The sheer num­ber of peo­ple af­fected makes it the largest UK data breach to date in­volv- ing fi­nan­cial in­for­ma­tion. By com­par­i­son, when pay­day lender Wonga was hacked last year the bank de­tails of 245,000 cus­tomers were ex­posed.

So­lic­i­tors said it could see Dixons shell out vast sums in com­pen­sa­tion to cus­tomers who face be­ing tar­geted by scam­mers. Sean Hum­ber, of Leigh Day, said: ‘ Those af­fected are likely to have claims for com­pen­sa­tion not only for any fi­nan­cial losses ... but also for the anx­i­ety and dis­tress caused.’

Mr Bal­dock de­scribed the hack as ‘a so­phis­ti­cated at­tack’ us­ing ‘ad­vanced mal­ware’. In a grov­el­ling apol­ogy, he said: ‘It is ex­traor­di­nar­ily dis­ap­point­ing and I am ex­tremely sorry and I am un­happy we let ... our cus­tomers down.’ The scan­dal comes af­ter Car­phone Ware­house, now owned by Dixons Car­phone, was fined £400,000 by the ICO in Jan­uary fol­low­ing a hack hit­ting more than three mil­lion cus­tomers in 2015.

For the past 11 months, hack­ers have been able to ac­cess per­sonal data, in­clud­ing ad­dresses and phone num­bers. Dixons said the hack oc­curred in one of the pro­cess­ing sys­tems of Cur­rys PC World and Dixons Travel stores.

It said the data ac­cessed did not con­tain pin codes, card ver­i­fi­ca­tion val­ues or any au­then­ti­ca­tion data al­low­ing card­holder iden­ti­fi­ca­tion or a pur­chase to be made. It does not be­lieve the data left the group’s sys­tems, but is ad­vis­ing those af­fected on pro­tec­tive steps they should take. It said card com­pa­nies had been no­ti­fied and there was no ev­i­dence of card fraud.

But ex­perts warned the data could be sold on by the hack­ers to other par­ties – who could con­tinue to abuse it many months down the line.

GHCQ and the FCA are both in­volved in the in­ves­ti­ga­tion.

‘Fi­nan­cial losses’

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.