Dixons Carphone Admits To Massive Data Breach

Over a million records containing ‘personal data’ also affected

London high street shopfront of Dixon’s Carphone’s Curry’s PC World. Pic: Imran’s Photography / Shutterstock.com

Retailer Dixons Carphone has gone public about a hack attack involving 5.9 million payment cards and 1.2 million personal data records.

In a statement (PDF), Dixons Carphone said that “unauthorised access” of data held by the company had prompted an investigation, the hiring of external security experts and efforts to shore up its security defences. It has informed police, regulators at the Information Commissioner’s Office and the Financial Conduct Authority.

It goes on to offer the not-entirely-reassuring reassurance that it has “no evidence to date of any fraudulent use of the data as result of these incidents” before admitting the compromised information included (incomplete, in some cases) payment card data.

The retailer has suffered hacks before. Three years ago a seemingly similar incident exposed the credit card details of 90,000 Dixons Carphone customers.

The latest incident also potentially exposed the personal details of 1.2 million people (name, address, email address), leaving customers more exposed to potential phishing attacks as a result.

Dixons Carphone chief exec Alex Baldock apologised to customers for the inconvenience, adding (as is standard in post-breach statements) that the company takes security seriously.

“We are extremely disappointed and sorry for any upset this may cause,” he said. “The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.”

Some security experts said that the leaked personal information was arguably a greater threat than the compromised card data.

Chris Boyd, lead malware analyst at Malwarebytes, commented: “Cancelling cards is always a pain, but the bigger issue is the personal data harvested by the criminals. The possibility of phishing attempts using this information is a good one, and people could be caught off-guard if they can’t remember buying something from Dixons Carphone in the first place.

“Treating all communications with suspicion for the next few months is probably a good idea, especially in situations where any form of login details are required.”

Others compared the Dixons Carphone breach to the compromise of US retailer Target in arguing lessons have not been learned. Paul German, CEO at Certes Networks, commented: “Despite the well-publicised Target data breach, it seems that other retailers are still not adopting appropriate cybersecurity strategies. As a multinational organisation, Dixons Carphone would have been well aware of the Target breach.” ®

Sponsored: Minds Mastering Machines – Call for papers now open