Dixons Carphone suffers major data breach with payment cards
Dixons Carphone has admitted it is investigating a serious data breach involving unauthorised access to data held by the company, which has included attempts to compromise 5.9m cards in one of the processing systems of Currys PC World and Dixons Travel stores, although it says no fraud has been committed
13 Jun 2018
In a statement Dixon Carphone said 5.8m of the cards affected have chip and pin protection, and the data accessed did not contain pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made.
However, approximately 105,000 non-EU issued payment cards which do not have chip and pin protection have been compromised.
Separately, its investigation has also found that 1.2m records containing non-financial personal data, such as name, address or email address, have been accessed, but Dixons Carphone says there is no evidence that this information has left its systems or has resulted in any fraud at this stage.
The breach started in July last year and has continued. The investigation is ongoing and Dixons Carphone says it has informed the Information Commissioner’s Office (ICO), the Financial Conduct Authority and the police.
Alex Baldock, Dixons Carphone chief executive, said: ‘We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously. We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected.
‘Cybercrime is a continual battle for business today and we are determined to tackle this fast-changing challenge.’
At the beginning of this year the ICO fined Carphone Warehouse £400,000 in one of the data regulator’s largest fines so far, after finding serious failures placed customer and employee data at risk as a result of a cyber-attack in 2015.
The company’s failure to secure the system allowed unauthorised access to the personal data of over three million customers and 1,000 employees.
The compromised customer data included names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, historical payment card details.
The records for some Carphone Warehouse employees, including name, phone numbers, postcode, and car registration were also accessed.
At the time, Information Commissioner Elizabeth Denham said: ‘A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.
‘Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.’
Under the new General Data Protection Regulation rules, which have been adopted in UK law and came into effect on 25 May, fines for data breaches can be up to €20m, or 4% annual global turnover, depending on the type of infringement and the actions of the company concerned.
Report by Pat Sweet