Dixons Carphone Breach: 5.9 Million Payment Cards Exposed1.2 Million Nonfinancial Records Also at Risk, Electronics Giant Warns
Struggling European electronics giant Dixons Carphone has suffered a massive data breach, or what may in fact be two separate data breaches.
See Also: The Global State of Online Digital Trust
On Wednesday, the London-based company issued a statement warning that "as part of a review of our systems and data, we have determined that there has been unauthorized access to certain data held by the company."
The multinational electrical and telecommunications retailer and services company owns and operates a number of brands throughout Europe, including Carphone Warehouse, Currys, Dixons Travel and PC World.
Dixons Carphone says it launched an investigation last week into the suspected breach and has found that "there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores," apparently in July 2017.
"Our investigation has also found that 1.2 million records containing nonfinancial personal data, such as name, address or email address, have been accessed," the company says in its statement.
The company says it immediately launched an investigation after learning about the suspected data exposure.
Mitigating Factor: Chip-and-PIN
One mitigating factor for the potentially exposed payment cards: 5.8 million of them had chip-and-PIN protection.
Since 2006, all card transactions in the U.K. made with a U.K.-issued payment card have required that the card include chip-and-PIN protection. The move took a big bite out of counterfeit and stolen card fraud, according to the UK Cards Association.
Dixons Carphone says only card numbers appear to have been exposed in the breach. "The data accessed in respect of these cards contains neither PIN codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made," the company says.
That's good news for cardholders, as well as card issuers; Dixons Carphone says it's notified the latter about the data exposure so they can watch for potential fraud.
But the stolen card details could still be used to commit online fraud.
In addition "105,000 non-EU-issued payment cards which do not have chip-and-PIN protection have been compromised," the company says.
Card Fraud? 'No Evidence'
Dixons Carphone says it has not received any information suggesting that the stolen information may have been put to illicit use. The company says in its statement: "We have no evidence that this information has left our systems or has resulted in any fraud at this stage."
But seeing no signs of fraud is not the same as saying that a company has no verifiable proof that no fraud has - or will be - committed.
Dixons Carphone says it has notified both the U.K.'s Information Commissioner's Office, which enforces the country's data protection laws in line with the EU's General Data Protection Regulation, and the Financial Conduct Authority about the breach.
The ICO says it's aware of the breach report. "An incident involving Dixons Carphone has been reported to us and we are liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers," a spokesman for the ICO says. "Anyone concerned about lost data and how it may be used should follow the advice of Action Fraud."
Action Fraud is the U.K.'s national fraud and cybercrime reporting center, and also offers prevention advice and victim support.
"The National Cyber Security Centre is working with Dixons Carphone plc and other agencies to understand how this data breach has affected people in the UK and advise on mitigation measures," NCSC says in a statement.
Could GDPR Penalties Apply?
So far, it's not clear if the breach, since it might date from July 2017 - when GDPR was active, but before the May 25 enforcement deadline last month - might be subject to the full force of that new law (see Europe's Strong GDPR Privacy Rules Go Into Full Effect).
Organizations that violate GDPR face fines of up to 4 percent of their annual global revenue or €20 million ($23 million) - whichever is greater - as well as other potential sanctions, including losing their ability to process people's personal data.
Last month, Parliament passed the 2018 Data Protection Act, which the ICO says "forms part of the data protection regime in the U.K." together with GDPR. Notably, DPA 2018 gives the ICO the ability to fine organizations up to the maximum allowed by GDPR.
The ICO said it's not yet clear whether the full force of GDPR could potentially be brought to bear against Dixons Warehouse.
"It is early in the investigation," a spokesman tells Information Security Media Group. "We will look at when the incident happened and when it was discovered as part of our work, and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts."
Dixons Warehouse says it plans to notify everyone whose personal details were potentially stolen and to give them information about how to protect themselves (see Data Breach Notifications: What's Optimal Timing?).
"We are extremely disappointed and sorry for any upset this may cause," Alex Baldock, who's served as CEO of Dixons Carphone since April, says in a statement.
"The protection of our data has to be at the heart of our business, and we've fallen short here. We've taken action to close off this unauthorized access, and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously," Baldock said. "We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cybersecurity experts, added extra security measures to our systems and will be communicating directly with those affected."
Follows 'Serious' Breach in 2015
But this isn't the first massive data breach to be suffered by publicly traded Dixons Carphone. Earlier this year, the company was slammed with a £400,000 ($533,000) fine for a 2015 breach of its Carphone Warehouse subsidiary that was perpetrated by an attacker who was able to access a WordPress installation that was outdated by six years (see Carphone Warehouse Breach: 'Striking' Failures Trigger Fine).
The ICO said that "serious failures" at Carphone Warehouse "placed customer and employee data at risk."
The breach affected Carphone Warehouse's online division, which operates the OneStopPhoneShop.com, e2save.com and Mobiles.co.uk websites, and resulted in unauthorized access to the personal data of 3.3 million customers and 1,000 employees.
In January, when the fine was announced, U.K. Information Commissioner Elizabeth Denham said: "A company as large, well-resourced and established as Carphone Warehouse should have been actively assessing its data security systems and ensuring systems were robust and not vulnerable to such attacks."
Retailer Struggles to Adapt
Dealing with the latest data breach isn't the only challenge facing Dixons Carphone. Last month, the company warned that its pre-tax annual profits to April 2018 had plunged by 24 percent from the year before, falling from £501 million ($670 million) to £383 million ($510 million). And it predicted that its 2018/19 profits would fall further still, to £300 million ($400 million).
Baldock said he would be closing 92 of the company's 700 stand-alone Carphone Warehouse stores in an attempt to help the company adapt to the changing mobile phone market.
The company is set to release its next set of financial results on June 21.