Hackers steal the details of 6million Dixons customers
ONE of the worst British cyber attacks was only discovered after the hackers had been inside the system for almost a year.
Unbeknown to electronics giant Dixons Carphone, hackers were able to steal the bank details of 5.9million payment cards and the personal data records of a further 1.2million.
The hack was revealed after new chief executive Alex Baldock – who has been at the helm just ten weeks – ordered an urgent review into the firm’s online safety. Weeks in, he discovered hackers had been inside its systems since July last year.
Yesterday the retailer reassured customers that 5.8million payment cards were protected by chip and pin. Around 105,000 non-EU cards without this protection were compromised.
The timing of the hack means Dixons is likely to avoid a fine of almost £20million. Because it happened last year, the firm is likely to fall under old data laws rather than the European General Data Protection Regulation rules that came into force on May 25.
Under the new laws, firms can be fined up to £17million for a significant data breach.
But the Information Commissioner’s Office warned Dixons could still face a multimillion pound fine if it emerges it learned of the hack before they made it public. A spokesman said: ‘We will look at when the incident happened and when it was discovered ... this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts.’ Yesterday Mr Baldock told the Mail: ‘One of the early things I did is ... launch a review of our systems and our data. As part of that review we determined that this breach had occurred. Even though the breach itself dates back to July last year we have got clarity on it in the past week.’
‘We are coming out early, very early, in the process.’
The sheer number of people affected makes it the largest UK data breach to date involv- ing financial information. By comparison, when payday lender Wonga was hacked last year the bank details of 245,000 customers were exposed.
Solicitors said it could see Dixons shell out vast sums in compensation to customers who face being targeted by scammers. Sean Humber, of Leigh Day, said: ‘ Those affected are likely to have claims for compensation not only for any financial losses ... but also for the anxiety and distress caused.’
Mr Baldock described the hack as ‘a sophisticated attack’ using ‘advanced malware’. In a grovelling apology, he said: ‘It is extraordinarily disappointing and I am extremely sorry and I am unhappy we let ... our customers down.’ The scandal comes after Carphone Warehouse, now owned by Dixons Carphone, was fined £400,000 by the ICO in January following a hack hitting more than three million customers in 2015.
For the past 11 months, hackers have been able to access personal data, including addresses and phone numbers. Dixons said the hack occurred in one of the processing systems of Currys PC World and Dixons Travel stores.
It said the data accessed did not contain pin codes, card verification values or any authentication data allowing cardholder identification or a purchase to be made. It does not believe the data left the group’s systems, but is advising those affected on protective steps they should take. It said card companies had been notified and there was no evidence of card fraud.
But experts warned the data could be sold on by the hackers to other parties – who could continue to abuse it many months down the line.
GHCQ and the FCA are both involved in the investigation.