Dixons Carphone has announced that the data breach it suffered last year affected more customers than initially believed.
The electricals retailer announced in June that, following a review of its system’s security, it had found unauthorised access in the past to some of its data. The ongoing investigation, which is now nearing completion, identified that approximately 10 million records containing personal data may have been accessed in 2017.
While there is now evidence that some of this data may have left Dixons Carphone’s systems, these records do not contain payment card or bank account details and there is no evidence that any fraud has resulted, a company statement noted.
The statement added: “We are continuing to keep the relevant authorities updated. As a precaution, we are choosing to communicate to all of our customers to apologise and advise them of protective steps to minimise the risk of fraud. As we indicated previously, we have taken action to close off this access and have no evidence it is continuing. We continue to make improvements and investments at pace to our security environment through enhanced controls, monitoring and testing.”
Dixons Carphone Chief Executive Alex Baldock commented: “Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right. That’s included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today.
“As a precaution, we’re now also contacting all our customers to apologise and advise on the steps they can take to protect themselves. Again, we’re disappointed in having fallen short here, and very sorry for any distress we’ve caused our customers. I want to assure them that we remain fully committed to making their personal data safe with us.”
Among those to comment in the wake of the news was World Wide Technology VP Europe Ben Boswell. He noted: “Under GDPR, data governance, including secure storage, access, audit and mapping, is now a direct responsibility of the business, and failure to comply can lead to heavy fines.
“To avoid a similar crisis, the first step organisations must take is to understand the intricacies of the existing security structure. This will enable them to be able to detect unusual activity and put a quick response in place to safeguard sensitive customer data.
“As the influx of IoT (Internet of Things) technology remodels the retail landscape and increases cybersecurity risks, systems that continually monitor and react to data anomalies are the key to fast responses to security breaches. Without these systems in place, retail organisations will continue to expose customer data to security compromises and risk not only sensitive customer information but also incur crippling fines under GDPR.”