Dixons Carphone Breach Bigger Than First Thought

Dixons Carphone has admitted that its damaging data breach of customer records is larger than first thought.

In June Dixons Carphone had admitted “unauthorised access to certain data”, namely 5.9 million payment cards and 1.2 million personal data records.

But now it believes that additional a total of 10 million customer records have been compromised, which is significantly up from its original estimate of 1.2 million.

Larger breach

The firm said it has been working with ‘leading cyber security experts’ and put into place further security measures ‘to safeguard customer information’, coupled with increasing its investment in cyber security.

The company said personal information, names, addresses and email addresses may have been accessed, however no bank details were taken and it had found no evidence that fraud had resulted from the breach.

The hackers also got access to records of 5.9 million payments cards, but nearly all of those were protected by the chip and pin system.

But unfortunately it seems that the breach of customer records is bigger than first thought, and has grown from 1.2 million customers to a staggering 10 million.

“Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017,” said the firm. “While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and there is no evidence that any fraud has resulted.”

“We are continuing to keep the relevant authorities updated,” said Dixons Carphone. “As a precaution, we are choosing to communicate to all of our customers to apologise and advise them of protective steps to minimise the risk of fraud.”

Fallen short

“Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right,” said Dixons Carphone Chief Executive Alex Baldock.

“That’s included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today,” he said.

“As a precaution, we’re now also contacting all our customers to apologise and advise on the steps they can take to protect themselves,” he added.

“Again, we’re disappointed in having fallen short here, and very sorry for any distress we’ve caused our customers,” said Baldock. “I want to assure them that we remain fully committed to making their personal data safe with us.”

Expert take

But at least one expert is concerned that the payments cards compromise may not be protected by chip and pin.

“Card Not Present Fraud cost the UK over 200 million pounds last year, and chip and pin security doesn’t help with this type of fraud,” explained Andy Norton, director of threat intelligence at Lastline.

“As with all estimates, they are given at a point in time,” said Norton. “Upon further investigation Dixons found that the breach was 10 times more severe than they originally thought. They also state that as of today, there is no evidence to suggest fraud has arisen because of the breach. Unfortunately, given the accuracy of their previous statements, tomorrow may be a different story.”

Another expert pointed out that firms often find unexpected surprises when investigating a data breach.

“This is a common experience for many victims of a cybercrime – when you discover a breach, start your incident response and digital forensics, you will start to uncover many unexpected surprises,” said Joseph Carson, chief security scientist at Thycotic.

“I believe that Dixons Carphone could carried out better incident response and communications relating to the impacted customers,” said Carson. “Like many companies have done in the past, they disclosed data breach numbers while the digital forensics was still ongoing, and we are likely still to find out the real impact of this data breach.

“The good news is that they are working with cybersecurity professionals and implementing security and protection from unauthorised access which for many companies is still a major gap in cybersecurity today,” he added.

It has been a tough time for Dixons Carphone so far this year, after it also took the decision in May to close 92 standalone stores this year across the country.

How much do you know about hackers? Take our quiz!