Dixons Carphone hit with major data breach

Wednesday, 13 Jun, 2018

Electronics retailer Dixons Carphone has suffered a massive data breach, with attackers accessing 5.9 million customer payment-card details and a further 1.2 million records containing personal information.

"While Dixons has said that there is no evidence of fraud taking place, now the data is in the criminal sphere, it's unlikely to be long before it starts being shopped around amongst criminals, with ensuing phishing and bruteforce attacks launched".

However, the firm said that 5.8million of the cards have chip and pin protection and that pin codes and CVV numbers were not accessed.

Dixons Carphone (DSITF) said Wednesday that it had discovered an attempt to compromise card processing systems at its Currys PC World and Dixons Travel stores.

In addition to payment cards, the intruders also accessed 1.2M records containing non-financial personal data - such as name, address or email address.

The group is contacting all those affected, but sought to assure customers it had no evidence that this had resulted in fraud at this stage.

"The protection of our data has to be at the heart of our business, and we've fallen short here".

Dixons Carphone said it had immediately notified the relevant card companies so that they could protect customers.

Carphone Warehouse is one of many High Street retailers feeling the strain of tough economic challenges.

However around 105,000 of the accessed cards were non-EU issued, and lacked chip-and-PIN, and it says those cards have been compromised.

Because the data breach dates back to previous year it will be dealt with by the ICO under the powers of the Data Protection Act 1998 and not the European Union General Data Protection Regulation (GDPR) which went into effect on May 25.

Dixons Carphone has revealed it has been hit by a huge data breach. We promptly launched an investigation, engaged leading cyber security experts and added extra security measures to our systems.

"The fact this only came to light now thanks to a review of the company's systems and data and actually occurred in 2017 is also cause for some concern", he said.

The UK Information Commissioner's Office said it was aware of the data breach.

"The NCSC website offers advice to organisations about ensuring their online security is as robust as possible, including guidance on protecting bulk personal data from cyber attack", they added.