Dixons Carphone data breach: Company admits attempted hack exposed details of 5.9 million bank cards

The firm says there had been "an attempt to compromise" 5.9 million credit and debit cards last year, with 105,000 cards being leaked

Dixons Carphone, the parent company which owns Currys PC World, Carphone Warehouse and Dixons Travel stores, has admitted a huge data breach involving the personal details of more than 5.9 million customers.

The company said there had been an "attempt to compromise" 5.9 million cards in one of its processing systems last year, but only 105,000 cards without chip-and-pin protection (those issued outside of the EU) had been leaked. We say "only", but that's still a substantial amount of customer details put at risk.

Dixons Carphone data breach

The data accessed in respect of the 5.8 million protected cards contained "neither pin codes, card verification values (CVV) nor any authentication data" which could have been used to identify the cardholder or what they had purchased. Dixons Carphone didn't detail what information had been exposed for the other 105,000 cards, simply saying it had notified the revelant card companies, which in turn will "take the appropriate measures" to protect customers. The release didn't go into detail about what these measure are but it's likely to involve contacting customers directly, or cancelling their cards as a precaution. IT Pro has asked Dixons Carphone for more details.

Dixons Carphone is investigating the attempted hack and said it had already informed the Information Commissioner's Office (ICO), the Financial Conduct Authority as well as the police. It did add that there was "currently no evidence of any fraudulent use of the information."

Advertisement - Article continues below
Advertisement - Article continues below

An ICO spokesperson said: "An incident involving Dixons Carphone has been reported to us and we are liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers.

"Anyone concerned about lost data and how it may be used should follow the advice of Action Fraud."

Beyond the 5.9 million cards, 1.2 million data records including names, addresses and email addresses of customers were also exposed in the Dixons Carphone breach and the company is contacting those whose non-financial data was accessed to "inform them, to apologise, and to give them advice on any protective steps they should take". IT Pro has asked the company for more details about what is being advised and how these customers are being contacted.

The hacking attempt was made on a processing system specific to Currys PC World and Dixons Travel at some point last year. IT Pro has contacted Dixons Carphone for more specific details. Carphone Warehouse said it didn't have any evidence that its own systems had been compromised in this way but it is contacting anyone affected by the breach as a matter of caution.

"The protection of our data has to be at the heart of our business, and we've fallen short here," said Dixons Carphone chief executive Alex Baldock. "We've taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously."

"As part of a review of our systems and data, we have determined that there has been unauthorised access to certain data held by the company. We promptly launched an investigation, engaged leading cyber security experts and added extra security measures to our systems. We have taken action to close off this access and have no evidence it is continuing."

Advertisement - Article continues below

Chris Boyd, lead malware analyst at Malwarebytes, advised customers to beware of criminals trying to contact them to steal more of their data, saying: "Cancelling cards is always a pain, but the bigger issue is the personal data harvested by the criminals. The possibility of phishing attempts using this information is a good one, and people could be caught off guard if they can't remember buying something from Dixons Carphone in the first place. Treating all communications with suspicion for the next few months is probably a good idea, especially in situations where any form of login details are required."

Dixons Carphone data breach and GDPR

This data breach is the first major public leak to be announced since the introduction of GDPR in Europe.

Under these new, far-reaching regulations, companies can be fined up to a staggering 20 million, or 4% of global annual turnover (whichever is higher), if they are found to have failed to adhere to GDPR or suffer a data breach. In particular, a company must alert the authorities about a data breach within 72 hours of being made aware of it or face a fine of up to 10 million.

If Dixons Carphone has only just been made aware of the breach and has alerted the authorities in the specified timeframe, it won't be liable for this intial fine. Equally, if the breach occurred last year it will have happened before GDPR came into force on 25 May, suggesting the company will also avoid the other hefty GDPR fines. IT Pro has contacted the ICO for clarification.

Advertisement - Article continues below

Either way, the Dixons Carphone data breach will likely act as a testbed and many other firms will be looking to see how it is handled. The previous Data Protection Act 1998 capped financial penalties at 500,000 if firms were found to have breached the Data Protection Act 1998. Yahoo's UK branch, as an example, was handed a 250,000 fine by the ICO this week over a data breach in 2014 which saw hackers steal 500 million people's personal data.

The regulator slammed the company's failure to apply adequate protections against the theft, and said "the inadequacies found had been in place for a long period of time without being discovered or addressed".

Advertisement - Article continues below

Dixons Carphone subsidiary Carphone Warehouse holds the joint-record for a UK data protection fine, 400,000, issued for a 2015 data breach. At the time, the ICO said the retailer had failed to implement "basic, commonplace measures". 

Picture: Shutterstock

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019

Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019

Most Popular

Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Microsoft Windows

Memes and Viking funerals: The internet reacts to the death of Windows 7

14 Jan 2020

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020