Dixons Carphone data breach resulted in the loss of 10m customer records
31 July 2018
Back in June, Dixons Carphone announced that a massive data breach that it had suffered last year had resulted in the compromise of 105,000 non-EU issued payment cards which did not have chip and pin protection in place.
Hackers behind the operation stole details of as many as 5.8 million other payment cards and according to Dixons Carphone, also managed to steal 1.2 million records containing non-financial personal data, such as name, address or email address of customers.
Breach impacted 10 million customer records
In a fresh statement, Dixons Carphone announced today that instead of 1.2 million customer records, hackers were, in fact, able to steal approximately 10 million customer records but the same did not include payment card or bank account details.
“Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017. While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and there is no evidence that any fraud has resulted,” it said.
At the moment, the Information Commissioner’s Office is liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details of the breach and impact on customers. However, the ICO is yet to confirm whether the breach will be dealt with under the 1998 or 2018 Data Protection Acts.
The retailer has since promised that it is putting in place further security measures and increase its investment on cyber security to safeguard customer information.
“Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right. That’s included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today,” said Alex Caldock, Chief Executive of Dixons Carphone.
“This is a common experience for many victims of a cybercrime – when you discover a breach, start your incident response and digital forensics, you will start to uncover many unexpected surprises. I believe that Dixons Carphone could carry out better incident response and communications relating to the impacted customers,” said Joseph Carson, Chief Security Scientist at Thycotic.
“Like many companies have done in the past, they disclosed data breach numbers while the digital forensics was still ongoing, and we are likely still to find out the real impact of this data breach. The good news is that they are working with cybersecurity professionals and implementing security and protection from unauthorised access which for many companies is still a major gap in cybersecurity today,” he added.
Dixons Carphone fined previously for suffering major breach
This isn’t the first time that Dixons Carphone has suffered a major data breach impacting millions of customers. In 2015, a division of the retailer that operated websites such as OneStopPhoneShop.com, e2save.com and Mobiles.co.uk and provided services to iD Mobile, TalkTalk Mobile, Talk Mobile and some Carphone Warehouse customers suffered a cyber attack that resulted in the loss of encrypted credit card information of up to 90,000 people, as well as personal details of 2.4 million people.
Dixons Carphone was eventually fined £400,000 by the Information Commissioner’s Office for failing to prevent unauthorised access to the personal data of over three million customers and 1,000 employees.
“A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks. Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures,” the ICO noted.