Dixons Carphone admits data breach of 5.9 million customers

Data breach involving millions of customer payment cards and personal data records.

0 14,980

Dixons Carphone has revealed details of an attempt by hackers to gain access to one of the processing systems of Currys PC World and Dixons Travel stores in July 2017. Dixons says the vast majority of the cards involved – 5.8 million – have chip and pin protection and attackers have not gained access to pin codes, CCV (card verification value) security numbers or any authentication data which could enable them to identify the cardholder or make purchases.

However around 105,000 non-EU issued payment cards which do not have chip and pin protection have been compromised. Dixons says it immediately notified the card companies and banks, which are taking “the appropriate measures to protect customers”. Separately, 1.2 million records containing non-financial personal data, such as name, address or email address, have been accessed but Dixons says it has no evidence at this stage that this information has left its systems or resulted in any fraud.

The company is writing over the coming days to those customers whose personal data was breached, “to inform them, to apologise, and to give them advice on any protective steps they should take”. Dixons Carphone said there was no evidence of fraud as a result of the incident and added that it was working with leading cybersecurity experts to examine and strengthen its systems. The company has notified the relevant card companies so customer protection measures can be put in place.

The group also discovered that 1.2m records containing non-financial personal data such as names and email addresses had been accessed, but added that there was no evidence of fraud with this particular set of data.

Shares in the company fell 5.5pc after the breach was announced, as many investors braced themselves for a fine to be issued. Although the incident occurred within the last year, it predated the 25 May enforcement date for GDPR, so any fine issued would be under the previous data protection rules in the UK.

The individual or group responsible has not been identified and investigations into the incident are ongoing.

CEO of Dixons Carphone, Alex Baldock, expressed his disappointment:

“The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and, though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.”

The company issued the following statement:

Investigation Into Unauthorised Data Access

As part of a review of our systems and data, we have determined that there has been unauthorised access to certain data held by the company. We promptly launched an investigation, engaged leading cyber security experts and added extra security measures to our systems. We have taken action to close off this access and have no evidence it is continuing. We have no evidence to date of any fraudulent use of the data as result of these incidents. We have also informed the relevant authorities including the ICO, FCA and the police.

Our investigation is ongoing and currently indicates that there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores. However, 5.8m of these cards have chip and pin protection. The data accessed in respect of these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made. Approximately 105,000 non-EU issued payment cards which do not have chip and pin protection have been compromised. As a precaution we immediately notified the relevant card companies via our payment provider about all these cards so that they could take the appropriate measures to protect customers. We have no evidence of any fraud on these cards as a result of this incident.

Separately, our investigation has also found that 1.2m records containing non-financial personal data, such as name, address or email address, have been accessed. We have no evidence that this information has left our systems or has resulted in any fraud at this stage. We are contacting those whose non-financial personal data was accessed to inform them, to apologise, and to give them advice on any protective steps they should take.

Dixons Carphone Chief Executive, Alex Baldock, said: “We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously. We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected. Cyber crime is a continual battle for business today and we are determined to tackle this fast-changing challenge.”

This release contains inside information.

Just last month, Dixons Carphone announced the closure of 92 Carphone Warehouse stores due to changing consumer habits.

This site uses cookies, tokens, and other third party scripts to recognize visitors of our sites and services, remember your settings and privacy choices, and - depending on your settings and privacy choices - enable us and some key partners to collect information about you so that we can improve our services and deliver relevant ads.

 

By continuing to use our site or clicking Agree, you agree that Rapid Mobile and our key partners may collect data and use cookies for personalized ads and other purposes, as described more fully in our privacy policy.

 

You can change your settings at any time by clicking Privacy Settings or by visiting our Privacy Centre for more detailed information.

Cookie Services

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

These cookies are necessary for the website to function and enable essential services and functonality, including identify verification, service continuity and site security. Opt out is not availabe.

In order to use this website we use the following technically required cookies
  • wordpress_test_cookie
  • wordpress_logged_in_
  • wordpress_sec

For perfomance reasons we use Cloudflare as a CDN network. This saves a cookie "__cfduid" to apply security settings on a per-client basis. This cookie is strictly necessary for Cloudflare's security features and cannot be turned off.
  • __cfduid

We use WooCommerce as a shopping system. For cart and order processing 2 cookies will be stored. This cookies are strictly necessary and can not be turned off.
  • woocommerce_cart_hash
  • woocommerce_items_in_cart

Decline all Services
Accept all Services