Failure to protect data after hackers access 5.9m bank cards at Dixons Carphone

Reporter: Stuart Littleford

Dixons Carphone says it has been the victim of an “unauthorised data access” in which millions of customer bank card details were targeted over the past 12 months.

Dixons Carphone told GPSJ: “As part of a review of our systems and data, we have determined that there has been unauthorised access to certain data held by the company. We promptly launched an investigation, engaged leading cyber security experts and added extra security measures to our systems. We have taken action to close off this access and have no evidence it is continuing. We have no evidence to date of any fraudulent use of the data as result of these incidents. We have also informed the relevant authorities including the ICO, FCA and the police.

Our investigation is ongoing and currently indicates that there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores. However, 5.8m of these cards have chip and pin protection. The data accessed in respect of these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made. Approximately 105,000 non-EU issued payment cards which do not have chip and pin protection have been compromised. As a precaution we immediately notified the relevant card companies via our payment provider about all these cards so that they could take the appropriate measures to protect customers.

We have no evidence of any fraud on these cards as a result of this incident. Separately, our investigation has also found that 1.2m records containing non-financial personal data, such as name, address or email address, have been accessed. We have no evidence that this information has left our systems or has resulted in any fraud at this stage. We are contacting those whose non-financial personal data was accessed to inform them, to apologise, and to give them advice on any protective steps they should take.

Dixons Carphone Chief Executive, Alex Baldock, told GPSJ: “We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously. We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected. Cyber crime is a continual battle for business today and we are determined to tackle this fastchanging challenge.”

Simon Cuthbert, Head of International at 8MAN by Protected Networks told GPSJ: “This breach is just another example of an organisation failing to protect their most important asset – data. The repercussions will likely be extensive in terms of financial damage, reputational damage and customer loyalty. Not to mention – this is the first breach case since the GDPR deadline passed on the 25 May. It will be interesting, and noteworthy, to see how the ICO respond to this breach as it will likely set a precedent for those that follow, and certainly kick others into action if they haven’t already ensured they are meeting, or at least attempting to meet, the new requirements.

If Dixons Carphone are unable to provide information on who accessed the data, when, and what they did with it, and deliver a report that evidences this, then they stand a risk of really falling foul of the regulator. Organisations need to ensure they have visibility of who has access to what data, and what they are doing with it, and demonstrate they are taking the necessary steps to protect their data.”

GPSJ asked if the data stolen had been “encrypted” at any stage but has not received a response from Dixons Carphone.