Dixons Carphone data breach: Company admits attempted hack exposed details of 5.9 million bank cards

The firm says there had been "an attempt to compromise" 5.9 million credit and debit cards last year, with 105,000 cards being leaked

Dixons Carphone, the parent company which owns Currys PC World, Carphone Warehouse and Dixons Travel stores, has admitted a huge data breach involving the personal details of more than 5.9 million customers.

The company said there had been an "attempt to compromise" 5.9 million cards in one of its processing systems last year, but only 105,000 cards without chip-and-pin protection (those issued outside of the EU) had been leaked. We say "only", but that's still a substantial amount of customer details put at risk.

Dixons Carphone data breach

The data accessed in respect of the 5.8 million protected cards contained "neither pin codes, card verification values (CVV) nor any authentication data" which could have been used to identify the cardholder or what they had purchased. Dixons Carphone didn't detail what information had been exposed for the other 105,000 cards, simply saying it had notified the revelant card companies, which in turn will "take the appropriate measures" to protect customers. The release didn't go into detail about what these measure are but it's likely to involve contacting customers directly, or cancelling their cards as a precaution. IT Pro has asked Dixons Carphone for more details.

Advertisement - Article continues below

Dixons Carphone is investigating the attempted hack and said it had already informed the Information Commissioner's Office (ICO), the Financial Conduct Authority as well as the police. It did add that there was "currently no evidence of any fraudulent use of the information."

Advertisement - Article continues below

An ICO spokesperson said: "An incident involving Dixons Carphone has been reported to us and we are liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers.

"Anyone concerned about lost data and how it may be used should follow the advice of Action Fraud."

Beyond the 5.9 million cards, 1.2 million data records including names, addresses and email addresses of customers were also exposed in the Dixons Carphone breach and the company is contacting those whose non-financial data was accessed to "inform them, to apologise, and to give them advice on any protective steps they should take". IT Pro has asked the company for more details about what is being advised and how these customers are being contacted.

Advertisement - Article continues below

The hacking attempt was made on a processing system specific to Currys PC World and Dixons Travel at some point last year. IT Pro has contacted Dixons Carphone for more specific details. Carphone Warehouse said it didn't have any evidence that its own systems had been compromised in this way but it is contacting anyone affected by the breach as a matter of caution.

"The protection of our data has to be at the heart of our business, and we've fallen short here," said Dixons Carphone chief executive Alex Baldock. "We've taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously."

"As part of a review of our systems and data, we have determined that there has been unauthorised access to certain data held by the company. We promptly launched an investigation, engaged leading cyber security experts and added extra security measures to our systems. We have taken action to close off this access and have no evidence it is continuing."

Advertisement - Article continues below
Advertisement - Article continues below

Chris Boyd, lead malware analyst at Malwarebytes, advised customers to beware of criminals trying to contact them to steal more of their data, saying: "Cancelling cards is always a pain, but the bigger issue is the personal data harvested by the criminals. The possibility of phishing attempts using this information is a good one, and people could be caught off guard if they can't remember buying something from Dixons Carphone in the first place. Treating all communications with suspicion for the next few months is probably a good idea, especially in situations where any form of login details are required."

Dixons Carphone data breach and GDPR

This data breach is the first major public leak to be announced since the introduction of GDPR in Europe.

Under these new, far-reaching regulations, companies can be fined up to a staggering 20 million, or 4% of global annual turnover (whichever is higher), if they are found to have failed to adhere to GDPR or suffer a data breach. In particular, a company must alert the authorities about a data breach within 72 hours of being made aware of it or face a fine of up to 10 million.

Advertisement - Article continues below

If Dixons Carphone has only just been made aware of the breach and has alerted the authorities in the specified timeframe, it won't be liable for this intial fine. Equally, if the breach occurred last year it will have happened before GDPR came into force on 25 May, suggesting the company will also avoid the other hefty GDPR fines. IT Pro has contacted the ICO for clarification.

Either way, the Dixons Carphone data breach will likely act as a testbed and many other firms will be looking to see how it is handled. The previous Data Protection Act 1998 capped financial penalties at 500,000 if firms were found to have breached the Data Protection Act 1998. Yahoo's UK branch, as an example, was handed a 250,000 fine by the ICO this week over a data breach in 2014 which saw hackers steal 500 million people's personal data.

The regulator slammed the company's failure to apply adequate protections against the theft, and said "the inadequacies found had been in place for a long period of time without being discovered or addressed".

Dixons Carphone subsidiary Carphone Warehouse holds the joint-record for a UK data protection fine, 400,000, issued for a 2015 data breach. At the time, the ICO said the retailer had failed to implement "basic, commonplace measures". 

Picture: Shutterstock

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now


ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020

Most malware came through HTTPS connections in Q1 2020

25 Jun 2020

Phishing attacks target unsuspecting Wells Fargo customers

24 Jun 2020

Trump administration wants to enhance the security of .gov sites

24 Jun 2020

Most Popular


How to find RAM speed, size and type

24 Jun 2020
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

The road to recovery

30 Jun 2020