Electricals retailer Dixons Carphone has admitted to a significant data breach which it discovered during a review of its systems and data.
The company determined that there had been unauthorised access to certain data, and responding by launching an investigation and engaging leading cyber security experts, while adding extra security measures to its systems.
A statement from the company noted: “We have taken action to close off this access and have no evidence it is continuing. We have no evidence to date of any fraudulent use of the data as result of these incidents. We have also informed the relevant authorities including the ICO, FCA and the police.”
While the investigation is ongoing, it indicated that there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores. However, 5.8m of these cards have chip and pin protection. The data accessed in respect of these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made, Dixons Carphone added.
Approximately 105,000 non-EU issued payment cards which do not have chip and pin protection have been compromised. The statement said: “As a precaution we immediately notified the relevant card companies via our payment provider about all these cards so that they could take the appropriate measures to protect customers. We have no evidence of any fraud on these cards as a result of this incident.
“Separately, our investigation has also found that 1.2m records containing non-financial personal data, such as name, address or email address, have been accessed. We have no evidence that this information has left our systems or has resulted in any fraud at this stage. We are contacting those whose non-financial personal data was accessed to inform them, to apologise, and to give them advice on any protective steps they should take.”
Dixons Carphone chief executive Alex Baldock said: “We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.
“We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected. Cyber crime is a continual battle for business today and we are determined to tackle this fast-changing challenge.”
Varonis director of sales engineers Matt Lock was among those to comment on the breach.
“The two key problems include a lack of visibility into activity around the data, which is why they only discovered it this week after an internal security review, and data being over exposed, which is why they’ve now stated they’ve locked down the open access,” he said.
“Open access – where sensitive and important information can be seen by anyone within an organisation with a computer and free time to do a little snooping – is a huge problem. We recently published a report in which we found that 41% of companies had at least 1,000 sensitive files open to all employees. Most companies are not aware of the extent of the issue or how their data is putting them, and their customers, at risk.”
Matt continued: “The responsibility and the burden is firmly on companies to limit exposure to valuable information: this includes customer data, payment information, and the crown jewels of many organisations, intellectual property. It’s about protecting anything you wouldn’t want to make its way onto the USB drive of an employee or stolen by a hacker. Exposed data can also be in danger when ransomware strikes. By securing data and limiting access to only those who need it, the potential damage of an attack can be limited.
“In many companies, data growth has gotten out of hand and they’re afraid of what they’ll find if they take a long look at all the files stored on their network. The GDPR is making organisations put their data house in order. With the GDPR, fortunately, many companies have taken a hard look at their data – what they have, where it’s located, and if they even need to keep it in the first place.”