Electrical retailer and services company Dixons Carphone has admitted to a customer data breach on a huge scale. An ongoing investigation in the company has revealed that hackers have attempted to access the data of 5.9 million cards, held in one of the processing systems for Currys PC World and Dixons Travel stores.
While the data contains neither PINs, card verification values (CVV), nor any authentication data enabling cardholder identification, approximately 105,000 non-EU issued payment cards, which do not have chip and pin protection, have been compromised, leading Dixons Carphone to notify the affected card companies.
Dixons Carphone CEO Alex Baldock said:
We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.
Their investigation has also revealed that 1.2 million records containing non-financial personal data, such as name, address, or email address, have been accessed. The company has announced that it is contacting those customers affected to apologise for the breach and advise them on the protective steps they now need to take.
“We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cybersecurity experts, added extra security measures to our systems, and will be communicating directly with those affected,” continued Baldock. “Cyber crime is a continual battle for business today and we are determined to tackle this fast-changing challenge.”
Internet of Business says
While there is no reported evidence of fraud so far against the cards affected by the data breach, this represents a huge embarrassment for Dixons Carphone and will have long-term repercussions for its customers, in terms of their willingness to trust the company.
In the wake of last year’s announcement that it would be closing 92 of its stores in the face of falling profits, this can only make things worse for the company. At the time of writing, Dixon Carphone shares are down almost four percent.
The breach is reported to have started in July last year, leaving questions unanswered as to why customers weren’t alerted sooner, and suggesting that the company’s cybersecurity infrastructure and procedures are not robust.
Despite the timing of the attack itself, the announcement is the first major European data breach reported since GDPR came into force. Among other things, the regulations require data protection to be designed into the development of business processes for products and services, and mandate fines of up to four percent of turnover for serious breaches.
Under GDPR, the data controller is obliged to inform the supervisory authority within 72 hours, unless the breach is unlikely to result in a risk to the rights and freedoms of those affected.
This is one of the largest data breaches yet seen in the UK and represents a punch from which an already staggering Dixons Carphone needs to recover quickly.