Retailer Dixons Carphone has gone public about a hack attack involving 5.9 million payment cards and 1.2 million personal data records.
In a statement (PDF), Dixons Carphone said that "unauthorised access" of data held by the company had prompted an investigation, the hiring of external security experts and efforts to shore up its security defences. It has informed police, regulators at the Information Commissioner's Office and the Financial Conduct Authority.
It goes on to offer the not-entirely-reassuring reassurance that it has "no evidence to date of any fraudulent use of the data as result of these incidents" before admitting the compromised information included (incomplete, in some cases) payment card data.
Our investigation is ongoing and currently indicates that there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores. However, 5.8 million of these cards have chip and PIN protection.
The data accessed in respect of these cards contains neither PIN codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made. Approximately 105,000 non-EU issued payment cards which do not have chip and PIN protection have been compromised.
As a precaution we immediately notified the relevant card companies via our payment provider about all these cards so that they could take the appropriate measures to protect customers. We have no evidence of any fraud on these cards as a result of this incident.
The retailer has suffered hacks before. Three years ago a seemingly similar incident exposed the credit card details of 90,000 Dixons Carphone customers.
The latest incident also potentially exposed the personal details of 1.2 million people (name, address, email address), leaving customers more exposed to potential phishing attacks as a result.
Separately, our investigation has also found that 1.2 million records containing non-financial personal data, such as name, address or email address, have been accessed. We have no evidence that this information has left our systems or has resulted in any fraud at this stage. We are contacting those whose non-financial personal data was accessed to inform them, to apologise, and to give them advice on any protective steps they should take.
Dixons Carphone chief exec Alex Baldock apologised to customers for the inconvenience, adding (as is standard in post-breach statements) that the company takes security seriously.
"We are extremely disappointed and sorry for any upset this may cause," he said. "The protection of our data has to be at the heart of our business, and we've fallen short here. We've taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously."
Some security experts said that the leaked personal information was arguably a greater threat than the compromised card data.
Chris Boyd, lead malware analyst at Malwarebytes, commented: "Cancelling cards is always a pain, but the bigger issue is the personal data harvested by the criminals. The possibility of phishing attempts using this information is a good one, and people could be caught off-guard if they can't remember buying something from Dixons Carphone in the first place.
"Treating all communications with suspicion for the next few months is probably a good idea, especially in situations where any form of login details are required."
Others compared the Dixons Carphone breach to the compromise of US retailer Target in arguing lessons have not been learned. Paul German, CEO at Certes Networks, commented: "Despite the well-publicised Target data breach, it seems that other retailers are still not adopting appropriate cybersecurity strategies. As a multinational organisation, Dixons Carphone would have been well aware of the Target breach." ®