June 13th 2018
Consumer electronics retailing giant Dixons Carphone has revealed that it has fallen victim to a huge data breach involving 5.9 million payment cards and 1.2 million personal data records.
The hacking attempt – which began in July last year but according to Dixons Carphone was discovered only last week – is being investigated by the company, which has also informed the Information Commissioner’s Office (ICO). Apparently, leading cybersecurity experts have been brought in and additional security measures implemented to its systems in the aftermath. Dixons Carphone says it is contacting affected customers.
The company has said that there was “an attempt to compromise” 5.8 million credit and debit cards, but that only 105,000 non-European cards without chip-and-pin protection had been leaked. But it has added that it has no evidence that any of the cards had been used fraudulently following the breach.
The company has also reported that 1.2 million records containing personal details such as names, addresses or email addresses had been illicitly accessed, adding that this access has now been blocked.
The company, formed as a result of a merger in 2014, suffered a previous data breach in 2015, for which it was fined £400,000 by the ICO. It refutes any claims that the two incidents are connected. Because the latest breach occurred prior to the new GDPR rules coming into force, it seems any penalties will come under the now-defunct Data Protection Act, which are lower than those under GDPR.
Alex Baldock, the company’s Chief Executive, said in a statement: “The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.”
Mr Baldock added: “We are extremely disappointed for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here.”
Get Safe Online’s Tim Mitchell commented: “Apart from the obvious issues around compromised data, this also represents an ideal opportunity for fraudsters to exploit the situation with fake phone calls, emails and text messages claiming to be from Dixon’s Carphone. We anticipate that these approaches will come thick and fast, with people being tricked into revealing confidential details such as account logins in an attempt to commit fraud or identity theft, or both.”
He added: “If you receive a call, email or other communication claiming to be from Dixons Carphone or Carphone Warehouse, treat it with caution, and telephone the company on what you know to be the real number to check if it’s authentic.”
An ICO statement read: “An incident involving Dixons Carphone has been reported to us and we are liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers.”
The news was greeted with a dip in the company’s share price on the London Stock Exchange.