Dixons Carphone breach: Personal and payment card info compromised

Dixons Carphone, the multinational electrical and telecommunications retailer that holds over 2,000 stores across the UK, Ireland and mainland Europe, has suffered a security breach.

Dixons Carphone breach

About the breach

The company discovered the “unauthorised access to certain data held by the company” while reviewing their systems and data and that access has since been closed off.

“Our investigation is ongoing and currently indicates that there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores,” the company shared.

“However, 5.8m of these cards have chip and pin protection. The data accessed in respect of these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made. Approximately 105,000 non-EU issued payment cards which do not have chip and pin protection have been compromised. As a precaution we immediately notified the relevant card companies via our payment provider about all these cards so that they could take the appropriate measures to protect customers.”

In addition to this, 1.2 million records containing the name, address or email address of customers have been accessed.

The company says that they have “no evidence to date of any fraudulent use of the data as result of these incidents,” that they’ve called in outside experts to help with the investigation, and that they’ve notified the relevant authorities (the ICO, FCA and the police).

An ICO spokesperson has confirmed that they are working with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers.

Affected customers will be notified of the breach directly by the company. They are advised to keep an eye on their bank statements to spot unusual transactions and to be on the lookout for social engineering attacks via phone or email that might leverage the accessed personal information.

Reactions from the industry

David Kennerley, Director of Threat Research at Webroot, says that customers have every right to be concerned, as the company has now been breached twice in 3 years and on both occasions additional security measures were promised.

CybSafe CEO Oz Alashe notes that while there’s no evidence yet that the stolen card details have been misused, it is unfortunately probably more a case of when rather than if.

“It is commonplace that bulk stolen credit card numbers are not used immediately, as it takes time to resell them on the dark web. Criminals also want the attention around the breach to die down before using them. On top of this, we have the loss of over a million personal data records. It is quite likely that poor practices allowed this to happen – if so, this won’t be the first time. Dixons suffered a significant data breach back in 2015, and this latest lapse shows that, by and large, things haven’t changed, and lessons may not have been learned,” he says.

“The company was hit with a £400,000 fine earlier this year for the 2015 breach, which affected over three million customers. In light of the fact that GDPR has now come into force, the fine the company will face for this latest breach could be substantially more.”

According to the ICO spokesperson, it’s too early in the investigation to tell whether the incident happened before or after GDPR became enforceable.

“We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts,” the spokesperson added.

Barry Scott, CTO, Centrify EMEA, says its will be interesting to see how this plays out.

“Details are sketchy at present, but as a Dixons Carphone statement says ‘we’ve taken action to close off this unauthorised access’ and with over 80% of breaches attributed to loss or misused user credentials it may be reasonable to assume that this could be a possible cause. To protect against breaches that exploit weak or stolen credentials, companies need to adopt a Zero Trust Security model—which assumes that untrusted actors already exist both inside and outside the network—to verify every user, validate their devices, limit access and privilege, and learn and adapt to user behaviour.”