Dixons Carphone has launched an investigation after admitting to a massive data breach involving 5.9 million payment cards and 1.2 million personal data records.
According to a statement released by the company, Dixons Carphone said that had been "unauthorised access to certain data" held by the company.
The company said that in its ongoing investigation, it found that there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores. It added that 5.8 million of these cards have chip and pin protection.
“The data accessed in respect of these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made,” said the company in a statement.
It added that around 105,000 non-EU issued payment cards which do not have chip and pin protection have been compromised. Dixons Carphone said that as a precaution, it has notified the relevant card companies via its payment provider about all these cards so that they could take the appropriate measures to protect customers. It said that it had no evidence of any fraud on these cards as a result of this incident.
It also found that 1.2 million records containing non-financial personal data, such as name, address or email address, have been accessed. It added that it had found no evidence that this information has left its systems or has “resulted in any fraud at this stage”. Dixons Carphone said it would be contacting those whose non-financial personal data was accessed to inform them, to apologise, and to give them advice on any protective steps they should take.
Dixons Carphone chief executive Alex Baldock said it was "extremely disappointed" by the data breach and "sorry for any upset".
"The protection of our data has to be at the heart of our business, and we've fallen short here. We've taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously," he said.
Baldock said the company had engaged cyber-security experts to handle the matter and would be communicating directly with those customers affected.
“Cyber-crime is a continual battle for business today and we are determined to tackle this fast-changing challenge,” he added.
Paul German, CEO of Certes Networks, told SC Media UK that as a multinational organisation, Dixon's Carphone would have been well aware of the Target breach but didn't take action to protect themselves against the exact same compromise where credit card data was targeted.
“When it comes to data breaches, any organisation should assume that a data breach will happen at some point and therefore take steps to prevent several millions of records being accessed,” he said.
“Dixon's Carphone should have used encryption as a segmentation method which would divide the infrastructure is divided up into smaller manageable sections, creating a reduced scope of risk for the entire infrastructure. When a data breach occurs, the breach is contained to these smaller risk domains and is not able to laterally spread around the entire organisation, preventing sensitive information like credit card details being accessed.”
“The real question is: how many more retailers have taken the ‘do nothing' approach like Dixon's obviously have?” he added.
Chris Boyd, lead malware analyst at Malwarebytes, told SC Media UK that cancelling cards is always a pain, but the bigger issue is the personal data harvested by the criminals.
“The possibility of phishing attempts using this information is a good one, and people could be caught off guard if they can't remember buying something from Dixons Carphone in the first place. Treating all communications with suspicion for the next few months is probably a good idea, especially in situations where any form of login details are required,” he said.
Weds 21st Nov, 3pm
A practical risk-based approach to implementing GDPR and building a security-aware culture in your organisation.
Brought to you in partnership with Metacompliance
Mon 19th Nov
Brought to you in partnership with Mimecast