Dixons Carphone has admitted to a major data breach involving 5.9 million payment cards and 1.2 million personal data records.
The incident began in July 2017, when attackers attempted to compromise payment cards in Curry’s PC World and Dixons Travel’s processing system. In a second breach, the names, addresses and email addresses of 1.2 million customers were accessed.
Dixons Carphone’s chief executive, Alex Baldock, has apologised for the breach and admitted that the company failed its customers. It has taken action to “close off this unauthorised access” and will be communicating directly with affected customers.
Are you affected?
Given there are a number of Carphone Warehouse and Curry’s stores in Ireland, people will be wondering if they are affected.
According to Dixons Carphone, 5.8 million of the cards involved have chip and PIN protection and attackers have not gained access to PIN codes, CVV security numbers or any authentication data that could enable them to identify the cardholder or make purchases.
Unfortunately, about 105,000 non-EU issued payment cards, which are not chip and PIN protected, have been compromised. Dixons Carphone immediately notified the card companies and banks, which are taking “the appropriate measures to protect customers”.
This isn’t the first time
This isn’t the first time that the retailer has suffered a data breach. In 2015, the personal data of 2.4 million Dixons Carphone customers was affected. This included names, addresses, dates of birth, email addresses and bank details, as well as the encrypted card details of 90,000 people.
The UK’s data protection office, the Information Commissioner’s Office (ICO), investigated and fined Dixons Carphone £400,000 this January – one of the largest fines to date – for “multiple inadequacies” in its approach to data security.
With the General Data Protection Regulation (GDPR) now in effect, it is likely that any fine the ICO issues relating to the new breach will be significantly heavier, especially if Dixons Carphone failed to implement appropriate measures following the 2015 incident.
However, administrative fines might be the least of Dixons Carphone’s worries. Reputational damage is also a significant threat, as is the possibility of legal action from data subjects if their rights have been infringed because of the company’s non-compliance with the GDPR.
Dixons Carphone shares fell more than 3% following the announcement, which is an additional blow after the company’s warning last month of a sharp fall in profits this year and plans to close 92 of its more than 700 Carphone Warehouse stores because of tough trading conditions.
It’s not too late to start your GDPR compliance journey
Data breaches can happen to any organisation at any time, so data security and GDPR compliance should be a matter of urgency for all companies.