Dixons Carphone breach: Millions of card and user data compromised

A prominent United Kingdom-based retailer has suffered a massive data breach in which personal and financial data of millions of customers have been compromised.

The targeted company Dixons Carphone acknowledged the breach and stated that hackers were able to access 1.2 million personal data records and 5.9 million payment cards from the processing systems of its Currys PC World and Dixons Travel stores.

In a statement [PDF], Dixons Carphone’s CEO Alex Baldock said that “We are extremely disappointed for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here.”

The company also revealed that among 5.9 million payment cards 5.8 million cards are protected by chip and pin number combinations but 105,000 cards that are based outside the European Union are not protected.

Moreover, the 1.2 million compromised records contained personal data of customers including names, emails, and addresses. However, the company claims it has no evidence that this information has left its systems or has resulted in any fraud at this stage.

Dixons Carphone is a major telecommunication and electrical retailer and services company with stores all over Europe including United Kingdom, Ireland, Denmark, Sweden, Norway, Finland, Greece, and Spain.

It is unclear how the data breach took place and who is behind it as since investigations are underway. However, this is not the first time when Dixons Carphone has suffered such a massive data breach. In 2015, personal and bank data of millions of Carphone Warehouse customers was accessed by hackers in a “sophisticated cyber-attack.”

“This may end up being the first test of the ICO which recently fined Carphone for a 2015 data breach saying its protection was inadequate. This second large breach demonstrates that little or nothing has been done by the group to improve that situation. Will the ICO now use its extended powers and ability to fine or will it come under pressure to lay-off embattled high street chains,?” said Stephen Gailey, Solutions Architect at Exabeam.

According to Rich Campagna, CMO at Bitglass “It doesn’t matter if it’s a careless mistake or a malicious attempt to leak data, organizations must put in place measures to identify sensitive customer data and build controls around when that data can be accessed and by whom.”

“In this latest incident, simple data security rules could have been put in place to prohibit such a large volume of data from being shared outside the organization without internal approval. Retailers are major targets and will see any and all lapses in security exploited by malicious individuals, both internal and external. As organizations make customer data more accessible to individuals and new systems, they must make information security their top priority, added Campagna.

Image credit: Depositphotos

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.