Dixons Carphone has admitted that millions of customer bank card details have been subject to what’s been described as an “unauthorised access to certain data” over the past 12 months.
The company is investigating this issue and found that there were attempts since last July to compromise 5.9 million cards in one of its processing systems for Currys PC World and Dixons Travel stores.
Dixons Carphone has admitted that they only discovered the 105,000 non-EU issued payment card compromises over the past week.
The majority of these cards had chip and protection, according to the company, and therefore data accessed did not contain pin codes, card verification values, nor any data enabling cardholder identification.
The company has admitted that non-financial personal data, such as names, addresses or email addresses, was accessed but Dixons Carphone has insisted that it had seen no evidence of any fraud at this stage.
The breach was currently being investigated by police, while regulators have also been informed.
Dixons Carphone chief executive Alex Baldock said: “We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here.
“We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.
“We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected.”
Analysis: Robert Wassall, data protection lawyer and head of legal services at ThinkMarble
It is the reaction that Dixons Carphone has had to the breach, and how they’ve dealt with it, which I think is indicative of how some organisations approach data security.
It’s all very well saying that customers financial details are not at risk, or have not been fraudulently used, but they’re missing the point somewhat. If their attitude is “don’t worry because your financial details haven’t been compromised”, that’s a reflection of the wrong attitude towards data protection.
Moreover, it erodes customer trust in the brand and leads to questions as to how they take care of the data that they have been entrusted with. If there’s any doubt as to the security to customers data, financial or otherwise, they should be notified immediately and advised accordingly.
The fact that this breach has only just been identified through a routine security review can be viewed from two sides. Yes, it’s great that this breach was identified as it proves that the review process and scanning for vulnerabilities works. On the other hand, the breach began in July 2017, why wasn’t it identified sooner? How often is security scanning done, given that it has taken almost a year to be found?
Another point which needs to be considered is that of financial penalty. As the breach began in July 2017, before the GDPR came into effect, but possibly continued past May 25th 2018. Where does responsibility lie in terms of enforcement?