Dixons apologises after card data hacked
● Firm says cyber attack hit personal and card details of millions of customers
Retail firm Dixons Carphone has admitted that hackers have accessed data of 5.9 million customer bank card details and 1.2 million personal data records in the latest cyber attack on a UK firm.
The company, which also owns Currys, said 5.8 million of the cards had been protected by chip and pin and only just over 100,000 non-eu bank cards used in its systems had been compromised.
The group is contacting all those affected, but sought to assure customers it had no evidence that this had resulted in fraud at this stage.
Dixons Carphone chief executive, Alex Baldock, admitted that the firm had “fallen short” on protecting its data.
The breach comes just six months after the firm was hit with a £400,000 fine from the Information Commissioner’s Office (ICO) after a 2015 cyber attack exposed the personal data of more than three million customers of its Carphone Warehouse arm.
Mr Baldock said: “We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.”
He added: “We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected.”
The National Crime Agency said it is working with the National Cyber Security Centre, industry watchdog the Financial Conduct Authority and the ICO to “understand what’s happened”.
A spokesman for the ICO said: “Anyone concerned about lost data and how it may be used should follow the advice of Action Fraud [the UK’S national fraud and cyber crime reporting centre].”
The latest data breach began in July last year, before 25 May, when new European General Data Protection Regulation (GDPR) rules came into force.
It means that Dixons Carphone could escape hefty fines under the new regime, which can be up to €20 million (about £17.6m) for a significant data breach.
Andy Norton, director of threat intelligence at Lastline said: “This will be an interesting precedent, as the breach occurred PRE-GDPR enforcement date, but the impact to victims will happen postgdpr enforcement date.
“It will also be a dilemma for the ICO, who has shown a preference not to impose large GDPR like fines. However, this is now the second occurrence and the ICO will not want to be seen as being tolerant of data breaches.”
Dixons said the hack occurred in one of the processing systems of Currys PC World and Dixons Travel stores. It said the data accessed did not contain Pin codes, card verification values (CVV) or any authentication data allowing cardholder identification or a purchase to be made.