Ian Waldie/Getty Images
show image

Dixons Carphone becomes the latest firm to massively underestimate the size of a breach

Dixons Carphone has admitted that the hackers who infiltrated its systems last year stole data belonging to 10 million customers, nearly 9 million more than it first thought.

The consumer electronics giant claimed in June that 1.2 million customers’ data had been stolen during the breach, along with 5.9m payment card details: the vast majority of which had chip and pin protection.

But on Tuesday morning the firm confirmed that following an investigation, it has identified around 10m records containing personal data that may have been accessed during last year’s breach.

“As a precaution, we’re now also contacting all our customers to apologise and advise on the steps they can take to protect themselves,” said Alex Baldock, CEO of Dixons Carphone, in a statement.

“Again, we’re disappointed in having fallen short here, and very sorry for any distress we’ve caused our customers. I want to assure them that we remain fully committed to making their personal data safe with us.”

A spokesperson for the Information Commissioner’s Office confirmed that the regulator is reviewing the new information. “In the meantime, we would expect the company to alert all those affected in the UK as soon as possible and to take all steps necessary to reduce any potential harm to consumers,” he added.

The ICO has not yet decided if the breach will be assessed under new European data protection regulations that came into force in May and offer regulators the power to fine firms up to 4 per cent of their annual global turnover.

One Identity’s Bill Evans described the retailer’s latest update as “odd”. “They managed to find the first million but missed the other 9,000,000? It may be some time before we know as the details remain sketchy, but one has to wonder in this day and age of GDPR with its requirement for hyper-auditing how this was missed,” he added.

The retailer is not the only company to have underestimated the size of a breach. Last October, Yahoo revealed that its data breach affected all 3bn of its user accounts, having previously suggested it affected more than 1bn.