Dixons Carphone admits data breach involving 5.9m customers

13 Jun 2018

Dixons Carphone website. Image: chrisdorney/Shutterstock

Dixons Carphone is investigating a breach involving millions of customer payment cards and personal data records.

Consumer technology retail firm Dixons Carphone has revealed details of an attempt by hackers to gain access to one of the processing systems of Currys PC World and Dixons Travel stores in July 2017.

The processing system in question contained details of 5.9m payment cards, with 5.8m of these protected by chip and pin. The data accessed in respect of the latter did not include pin codes, CVV numbers or other authentication materials. The company did admit, though, that 105,000 non-EU issued payment cards without chip and pin protection had been compromised.

Dixons Carphone said there was no evidence of fraud as a result of the incident and added that it was working with leading cybersecurity experts to examine and strengthen its systems.

Dixons Carphone notifies card firms

Dixons Carphone has notified the relevant card companies so customer protection measures can be put in place.

The group also discovered that 1.2m records containing non-financial personal data such as names and email addresses had been accessed, but added that there was no evidence of fraud with this particular set of data.

Shares in the company fell 5.5pc after the breach was announced, as many investors braced themselves for a fine to be issued. Although the incident occurred within the last year, it predated the 25 May enforcement date for GDPR, so any fine issued would be under the previous data protection rules in the UK.

The individual or group responsible has not been identified and investigations into the incident are ongoing.

Determined to fix the situation

CEO of Dixons Carphone, Alex Baldock, expressed his disappointment: “The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and, though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.”

He added that the company is “determined to put this right” and is taking the necessary steps to do so, noting: “[We] promptly launched an investigation, engaged leading cybersecurity experts, added extra security measures to our systems and will be communicating directly with those affected.”

Just last month, Dixons Carphone announced the closure of 92 Carphone Warehouse stores due to changing consumer habits.

Niall Sheffield, lead solutions engineer at SentinelOne, said: “Companies need to show their commitment to keeping their customers safe by investing in technologies and processes that ensure integrity. If companies are unable to do this, then regulations such as GDPR are going to publicly shame and fine these companies, as well as customers going elsewhere.”

Dixons Carphone website. Image: chrisdorney/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com