Dixons Carphone has once again been the victim of a cyberattack, with the latest breach involving 5.9 million payment cards and 1.2 million personal data records.
The hack, which began in July of last year, included “an attempt to compromise” 5.8 million credit and debit cards, though the company reassured customers that only 105,000 non-EU issued cards without chip-and-pin protection had been leaked and that the appropriate card providers had been made aware. Non-financial data including 1.2 million names, addresses and email addresses were accessed, in what appears to have been a separate breach or at least separate from payment card data.
Dixons Carphone says it has seen no evidence that the accessed data left its databases, or of any fraud resulting from the breach. However, CEO Alex Baldock said that the company was “extremely disappointed and sorry for any upset”.
“The protection of our data has to be at the heart of our business, and we’ve fallen short here,” he said. “We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.”
He also assured customers that the company is working to mitigate the damage caused, with action having been taken to close off the unauthorised access: “We promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected.”
The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.
– Alex Baldock, CEO, Dixons Carphone
The company was also in the news earlier this year after being fined £400,000 by the ICO in January – one of the largest fines it had ever issued – for a breach resulting from a cyberattack in 2015 which resulted in the data of over three million customers and 1,000 employees being exposed. The ICO identified multiple inadequacies in the company’s approach to data security, and ruled that it had failed to take adequate steps to protect the personal information of its customers and employees.
At the time, Information Commissioner Elizabeth Denham said:
“A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks. Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
