Dixons Carphone has admitted that a huge data breach from last year was far more extensive than previously thought, involving 10 million customers.
Consumer retailer Dixons Carphone initially reported that a hack had exposed the data of around 1.2 million customers back in June 2017. The company said that personal information, names, addresses and email addresses may have been accessed. Although no bank details were involved, 5.9 million payment cards were exposed, but protected by chip and pin, according to Dixons Carphone.
However, in a statement today the company said that the number of customers involved in the breach has multiplied by a factor of 8.2, but that "there is no evidence that any fraud has resulted".
Joseph Carson, Chief Security Scientist at Thycotic said: "This is a common experience for many victims of a cyber-crime - when you discover a breach, start your incident response and digital forensics, you will start to uncover many unexpected surprises. I believe that Dixons Carphone could have carried out better incident response and communications relating to the impacted customers. Like many companies have done in the past, they disclosed data breach numbers while the digital forensics were still ongoing, and we are likely still to find out the real impact of this data breach. The good news is that they are working with cyber-security professionals and implementing security and protection from unauthorised access which for many companies is still a major gap in cyber-security today."
Dixons Carphone has been working with the National Cyber Security Centre (NCSC), the Financial Conduct Authority and the Information Commissioner's Office (ICO) to assess the impact of the breach.
An ICO spokesperson said: "Dixons Carphone reported a data breach to the ICO in June. The company has now confirmed that the incident affected the personal data of 10 million records, which is significantly higher than initially stated.
"Our investigation into the incident is ongoing and we will take time to assess this new information. In the meantime, we would expect the company to alert all those affected in the UK as soon as possible and to take all steps necessary to reduce any potential harm to consumers."
Bill Evans, senior director at One Identity, said that the timeline of the incident raises significant questions: "First, how or why did the investigators miss so many breached records? They managed to find the first million but missed the other 9,000,000? Seems odd. It may be some time before we know as the details remain sketchy, but one has to wonder in this day and age of GDPR with its requirement for hyper auditing how this was missed.
"The paradox here is that Dixon’s reported that the information from most of the credit cards that were stolen were protected by the "pin & chip" security strategy. In the world of cyber-security, this is known as multi-factor authentication whereby the user must know something (a password or pin) and have something (a mobile phone or credit card). It’s great that Dixon’s and its consumers were protected by this strategy. On the other hand, one has to wonder whether this same strategy was in place within the realm of the administrators at Dixon’s. Was this one of the lapses in security that contributed to the breach?
"Again, only time will tell what new security measures will be put in place to prevent another breach. It’s just a bit frustrating that it takes breaches like this to drive organisations to make the investment."