Dixons Carphone hit by huge data breach: Attackers access 5.9 million card details

Attackers also gained access to 1.2 million records containing personal details in one of the UK's biggest data breaches.
Written by Danny Palmer, Senior Writer

Electronics retailer Dixons Carphone has suffered a massive data breach, with attackers accessing 5.9 million customer payment-card details and a further 1.2 million records containing personal information.

In a statement released this morning, the company said during a review of systems and data, it discovered that there has been "unauthorised access to certain data held by the company".

An investigation into what happened is still ongoing, but Dixons Carphone said there is evidence that an attempt was made to compromise 5.9 million payment cards via one of the processing systems of its Currys PC World and Dixons Travel stores.

In addition, 1.2 million records containing personal data including names, addresses and email addresses have also been accessed.

These figures make it one of the largest data breaches involving a UK company, emerging just weeks after the GDPR data-protection legislation came into effect.

See: IT pro's guide to GDPR readiness (free PDF)

A Dixons Carphone spokesperson told ZDNet that the breach began in July last year -- there's been no information provided as to when it was discovered.

According to Dixons Carphone, there's currently "no evidence" that any fraudulent activity has taken place as a result of the breach.

However, the company is contacting those whose personal data has been accessed to provide advice on how to avoid falling victim to future fraud using the data.

The perpetrators could be playing a longer game, waiting for the right time to carry out further cyber activity.

While attackers attempted to access 5.9 million card details, the company states that chip-and-pin protection should prevent 5.8 million of the cards being used for fraud.

Pin codes, card verification values (CVV), and authentication data enabling holder identification or purchases were not stored in the data.

See:Special report: Cybersecurity in an IoT and mobile world (free PDF)

However, an additional 105,000 cards from outside the EU -- with no chip-and-pin protection -- have been compromised as part of the breach. The company says there's no evidence of fraudulent activity, but those affected have been notified.

"We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we've fallen short here," said Alex Baldock, chief executive of Dixons Carphone.

"We've taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously."

The company has launched an investigation into the incident and is said to be engaged with cyber security experts. Baldock added that Dixons Carphone has also "added extra security measures" to its systems.

The Information Commissioner's Office (ICO), the Financial Conduct Authority and law enforcement have all been informed about the attack.

"An incident involving Dixons Carphone has been reported to us and we are liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers," an ICO spokesperson told ZDNet.

"Anyone concerned about lost data and how it may be used should follow the advice of Action Fraud," the ICO added.

The National Cyber Security Centre has warned people to be mindful of potential fraud and follow-up campaigns.

"The National Cyber Security Centre is working with Dixons Carphone plc and other agencies to understand how this data breach has affected people in the UK and advise on mitigation measures," an NCSC spokesperson told ZDNet.

"Anyone concerned about fraud or lost data should contact Action Fraud and we recommend that people are vigilant against any suspicious activity on their bank accounts.

"The NCSC website offers advice to organisations about ensuring their online security is as robust as possible, including guidance on protecting bulk personal data from cyber attack," they added.


Editorial standards