Dixons Carphone data breach: Number of victims rises from 1.2m to 10m

Investigation into cyber attack reveals that names, addresses and email addresses of far more people than first thought may have been accessed.
Written by Danny Palmer, Senior Writer

A data breach at electronics retailer Dixons Carphone is almost ten times larger than the company first thought.

Personal information of 10 million customers, including names, addresses, and email addresses, are thought to have been accessed by outsiders -- massively up from the originally stated figure of 1.2 million.

The company uncovered further evidence of personal data being accessed during its investigation into the breach, which first occurred in July 2017 but only came to light this June.

As part of the attack, hackers also attempted to access 5.9 million payment card details, but Dixons Carphone has previously stated that chip-and-pin protection should prevent these details being used for fraud.

However, the number of accounts accessed makes it one of the largest breaches to involve a UK company.

SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened (cover story PDF) (TechRepublic)

No information has been provided on how the attackers managed to gain access to such a large amount of data, but the company says an investigation being carried out with the aid of cyber security experts is nearing completion.

"Since our data security review uncovered last year's breach, we've been working around the clock to put it right," Alex Baldock, chief executive of Dixons Carphone, said in a statement.

"That's included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we're updating on today."

There have been no reports of fraud resulting from the breach, but Baldock once again apologised to customers for the incident.

"We're disappointed in having fallen short here, and very sorry for any distress we've caused our customers. I want to assure them that we remain fully committed to making their personal data safe with us," he said.

The company says it's making improvements to its security environment by enhancing its monitoring and testing abilities.

Upon discovering the breach last month, Dixons Carphone reported it to the National Cyber Security Centre and the Information Commissioner's Office, and the company states it continues to keep both organisations updated.

"Our investigation into the incident is ongoing and we will take time to assess this new information," an ICO spokesperson told ZDNet.

"In the meantime, we would expect the company to alert all those affected in the UK as soon as possible and to take all steps necessary to reduce any potential harm to consumers."

The initial breach came to light weeks after the GDPR came into force. However, the breach occurred in 2017, when the 1998 Data Protection Act was still in place.


Editorial standards