Revising its June estimates significantly upwards, Dixons Carphone now says that 10 million customers were involved in last year’s data breach.
When the breach was first disclosed in June, the company announced that 1.2 million names, addresses and email addresses had been accessed, in addition to the details of 5.9 million payment cards, though the company assured customers that the vast majority of these had chip-and-pin protection.
The company has been working with external experts including the National Crime Agency to investigate the hack since it was discovered, and says that its investigation is now nearing completion.
It initially reported that no fraudulent activity resulting from the breach had been observed, and that there was no indication that customer data had left the company’s systems.
Again, we’re disappointed in having fallen short here, and very sorry for any distress we’ve caused our customers.
– Alex Baldock, CEO, Dixons Carphone
However, the investigation has now revealed that personal data may have been exfiltrated, and that almost ten times as many customers were impacted by the breach as Dixons Carphone initially reported.
“Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right,” said CEO Alex Baldock. “That’s included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today.”
The company said in a statement (PDF) that it has put further security measures into place and increased its investment in cybersecurity. It says that it will be contacting all customers to apologise and advise them of protective steps they can take to reduce the risk of fraud.
“Again, we’re disappointed in having fallen short here, and very sorry for any distress we’ve caused our customers,” Baldock added. “I want to assure them that we remain fully committed to making their personal data safe with us.”