Dixons Carphone Cyberattack Targets 5.9M Bank Cards

European electronic and telecom retailer Dixons Carphone has discovered a massive cyber-attack that may have compromised millions of payment cards and personal data records, it said Wednesday.

The U.K.-based retail giant, whose subsidiaries include Carphone Warehouse, Currys, PC World, Elkjøp and others, said there is no evidence so far that any cards have been used after the breach. However, the number potentially impacted is head-turning: the company said that 5.9 million payment cards and 1.2 million personal data records (containing names, addresses and emails) may have been accessed.

A company spokesperson told Threatpost that the company discovered the breach last week, and determined that “there had been unauthorized access to certain data in relation to an incident that started in July 2017. There is no evidence that it is continuing.”

About 5.8 million of the cards that were accessed had chip-and-PIN protection; as a result, the accessed information did not include PIN codes, card verification values (CVV) or any authentication data enabling cardholder identification, Dixons Carphone said. But that leaves approximately 105,000 non-E.U. issued payment cards without chip-and-PIN protection that may have been more thoroughly compromised.

“As a precaution we immediately notified the relevant card companies via our payment provider about all these cards so that they could take the appropriate measures to protect customers,” the retailer said said in a website statement. “We have no evidence of any fraud on these cards as a result of this incident.”

The company did not specify which specific systems were targeted in the breach, only saying that the cards “in one of the processing systems of Currys PC World and Dixons Travel stores” were compromised.

The company informed the U.K.’s Information Commissioner’s Office (ICO), the Financial Conduct Authority and police of the incident, in accordance with Britain’s data privacy requirements.

“It is early in the investigation. We will look at when the incident happened and when it was discovered as part of our work, and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts,” an ICO spokesperson said.

The newly implemented General Data Protection Regulation (GDPR) requires businesses to make a breach notification within 72 hours of discovering it. With the GDPR rules coming into effect this past May, Dixons Carphone and other companies with customers in the E.U. are feeling more pressure to disclose data breaches quickly in order to avoid major fines.

“Dixons Carphone’s decision to disclose is rather laudable, albeit one may question the timeline of the disclosure,” said Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge, in an email. “Many other companies are much less courageous to tell the truth, as even in light of GDPR enforcement, the new law cannot monitor proper disclosure of inconspicuous data breaches.”

“We are extremely disappointed and sorry for any upset this may cause,” said Dixons Carphone CEO Alex Baldock in the website notice. “The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorized access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.”