Criminals have harvested millions of Dixon Carphone customers’ details in a massive data breach.
The retailer revealed on Wednesday morning that data about 5.9 million payment cards was breached when hackers infiltrated the processing systems of Currys PC World and Dixons Travel stores.
The data did not include CVV numbers, but around 105,000 of the cards were lacking chip and pin protection. The firm said it had notified card companies and that there was no evidence of fraud as a result of the breach.
An internal investigation into the breach also revealed that 1.2 million personal data records including names, addresses and email addresses had been breached in a separate incident. The retailer is contacting affected customers and advising them about how they can protect themselves from fraud.
It is not yet clear if the Information Commissioner’s Office will assess the breach under GDPR or previous data protection regulations. An ICO spokesperson told NS Tech: “It is early in the investigation. We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts.”
The breach reportedly started in July last year, before the new regulations came into effect. If it is assessed under the outgoing Data Protection Act, the ICO will have the power to fine the company up to £500,000. But if it is dealt with under the new Data Protection Act and GDPR, the ICO could issue a fine of up to 4 per cent of annual turnover.
Dixons Carphone CEO Alex Baldock said the firm had promptly launched an investigation, engaged cyber security experts and added extra security to its systems.
“We are extremely disappointed and sorry for any upset this may cause,” he added. “The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.”
An ICO spokesperson said the regulator is liaising with the National Cyber Security Centre, the Financial Conduct Authority and “other relevant agencies” to “ascertain the details and impact on customers”.
Chris Boyd, Lead Malware Analyst at Malwarebytes, said that while cancelling cards is a pain, the bigger issue is the personal data the criminals stole.
“Treating all communications with suspicion for the next few months is probably a good idea, especially in situations where any form of login details are required,” he warned.
In January, the ICO fined Carphone Warehouse £400,000 for a data breach that occurred in 2015. The Information Commissioner Elizabeth Denham said at the time: “A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems.”
This story has been updated to include a new statement from the Information Commissioner’s Office.