Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Dixons Carphone 'fesses to mega-breach: Probes 'attempt to compromise' 5.9m payment cards

Over a million records containing 'personal data' also affected

Retailer Dixons Carphone has gone public about a hack attack involving 5.9 million payment cards and 1.2 million personal data records.

In a statement (PDF), Dixons Carphone said that "unauthorised access" of data held by the company had prompted an investigation, the hiring of external security experts and efforts to shore up its security defences. It has informed police, regulators at the Information Commissioner's Office and the Financial Conduct Authority.

It goes on to offer the not-entirely-reassuring reassurance that it has "no evidence to date of any fraudulent use of the data as result of these incidents" before admitting the compromised information included (incomplete, in some cases) payment card data.

Our investigation is ongoing and currently indicates that there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores. However, 5.8 million of these cards have chip and PIN protection.

The data accessed in respect of these cards contains neither PIN codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made. Approximately 105,000 non-EU issued payment cards which do not have chip and PIN protection have been compromised.

As a precaution we immediately notified the relevant card companies via our payment provider about all these cards so that they could take the appropriate measures to protect customers. We have no evidence of any fraud on these cards as a result of this incident.

The retailer has suffered hacks before. Three years ago a seemingly similar incident exposed the credit card details of 90,000 Dixons Carphone customers.

The latest incident also potentially exposed the personal details of 1.2 million people (name, address, email address), leaving customers more exposed to potential phishing attacks as a result.

Separately, our investigation has also found that 1.2 million records containing non-financial personal data, such as name, address or email address, have been accessed. We have no evidence that this information has left our systems or has resulted in any fraud at this stage. We are contacting those whose non-financial personal data was accessed to inform them, to apologise, and to give them advice on any protective steps they should take.

Dixons Carphone chief exec Alex Baldock apologised to customers for the inconvenience, adding (as is standard in post-breach statements) that the company takes security seriously.

"We are extremely disappointed and sorry for any upset this may cause," he said. "The protection of our data has to be at the heart of our business, and we've fallen short here. We've taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously."

Some security experts said that the leaked personal information was arguably a greater threat than the compromised card data.

Chris Boyd, lead malware analyst at Malwarebytes, commented: "Cancelling cards is always a pain, but the bigger issue is the personal data harvested by the criminals. The possibility of phishing attempts using this information is a good one, and people could be caught off-guard if they can't remember buying something from Dixons Carphone in the first place.

"Treating all communications with suspicion for the next few months is probably a good idea, especially in situations where any form of login details are required."

Others compared the Dixons Carphone breach to the compromise of US retailer Target in arguing lessons have not been learned. Paul German, CEO at Certes Networks, commented: "Despite the well-publicised Target data breach, it seems that other retailers are still not adopting appropriate cybersecurity strategies. As a multinational organisation, Dixons Carphone would have been well aware of the Target breach." ®

 

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like