Dixons Carphone At Centre Of Huge Data Breach

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

At least 5.9 million payment cards and 1.2 million personal data records have been compromised

Dixons Carphone is investigating after it admitted “unauthorised access to certain data” held by the company.

The admission by the high street retailer was made worse when it revealed that 5.9 million payment cards and 1.2 million personal data records have been compromised.

This is on top of the bad news last month, when Dixons Carphone took the decision to close 92 standalone stores this year across the country.

Data breach

Dixons Carphone made the admission of the data breach this week, and whilst it said that it has launched an investigation and “engaged leading cyber security experts as well as adding extra security measures, it has “no evidence to date of any fraudulent use of the data as result of these incidents.”

“We have also informed the relevant authorities including the ICO, FCA and the police,” it said.

The firm said that its investigation reveals there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores. However, most of these (5.8 million) cards are protected by chip and pin protection, and CVV.

“But approximately 105,000 non-EU issued payment cards which do not have chip and pin protection have been compromised,” it said. “As a precaution we immediately notified the relevant card companies via our payment provider about all these cards so that they could take the appropriate measures to protect customers.

“Separately, our investigation has also found that 1.2m records containing non-financial personal data, such as name, address or email address, have been accessed,” it said.

“We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here,” said chief executive, Alex Baldock.

“We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously,” said Baldock. “We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected

Expert reaction

But experts were quick to warn that firms need to become more serious about securing customer data.

“This latest breach serves as a fresh reminder that the cyber danger still rings loud and clear for businesses,” said Anthony Chadd, director of EMEA at Neustar. “ With another organisation falling victim to the threat of cyber-attackers, cyber-security strategies can no longer be managed reactively.”

“From DDoS and web application attacks to ransomware, the cyber-danger is real – and with legislation such as GDPR is now in play, it has never been more critical that customer information is robustly safeguarded,” he said.

Another expert warned of the sophisticated attacks the retail sector is facing.

“Cyber criminals continue to develop and carry out sophisticated attacks on the retail sector where personal data and payment information are often transmitted and stored in unsecure ways,” commented James Hadley, CEO & Founder of Immersive Labs. “Companies, including those in the retail sector, need to ensure they have both technical solutions and skilled technical staff to reduce risks to acceptable levels.”

“The breach at Dixons Carphone highlights, yet again, how common attempts at exfiltrating personal data and payment card information have become,” said Lee Munson, Security Researcher at Comparitech.com. “What is worrying here is the delay between the breach occurring last year and the disclosure today.

“Whether or not that was down to the company not being aware until now is unclear,” he added. “Thankfully, under GDPR, non-disclosure for business reasons is no longer possible as the ICO must be informed within 72 hours whenever possible.”

All these breach are also likely to contribute to a lack of trust by the public of firms safeguarding their data.

“As the latest in a long line of big companies admitting data breach and loss of data, the public’s trust in the ability of these companies to safeguard their data is being eroded,” said Niall Sheffield, Lead Solutions Engineer at SentinelOne.

“Companies need to show their commitment to keeping their customers safe by investing in technologies and processes that ensure integrity. If companies are unable to do this, then regulations such as GDPR are going to publicly shame and fine these companies, as well as customers going elsewhere,” he said.

This was backed by another expert.

“This breach is just another example of an organisation failing to protect their most important asset – data,” said Simon Cuthbert, Head of International at 8MAN by Protected Networks. “The repercussions will likely be extensive in terms of financial damage, reputational damage and customer loyalty. Not to mention – this is the first breach case since the GDPR deadline passed on the 25th May.

Change passwords

“Another High Street business has been targeted and successfully hacked,” said Patrick Hunter, EMEA Director at One Identity. “Retail companies are always going to be a good source of credit card and personal information as companies, like Dixons, collect a lot of customers. The first major example of this was the Target breach in the US and this caused a massive amount of negative news for Target themselves but it should also have been a warning.”

“Victims of the Dixons Carphone data breach should immediately change elements of their account security, such as passwords, as the moments after a data breach are when victims are most vulnerable,” said Paul Edon, Technical Director (EMEA) at Tripwire.

“Even though Dixons Carphone released a statement saying that there is ‘no evidence of cards being used fraudulently following the breach’, it is imperative that individuals continually monitor their bank accounts and report any signs of identity theft or fraudulent activity to their banks,” he warned.

Do you know all about security? Try our quiz!