As part of a review of its systems and data, Dixons Carphone – the multinational electrical and telecommunications retailer and services company headquartered in London – has determined that there has been “unauthorised access” to certain data held by the company. As a result, the business promptly launched an investigation, engaged leading cyber security experts and added extra security measures to its systems.
That investigation is ongoing, and currently indicates that there was an attempt to compromise 5.9 million cards (5.8 million of which do possess Chip and PIN protection) in one of the processing systems of Currys PC World and Dixons Travel stores. Approximately 105,000 non-EU issued payment cards which don’t have Chip and PIN protection have apparently been compromised.
The data accessed in respect of these cards contains neither PIN codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a fraudulent purchase to be made.
Separately, the company’s investigation also found that 1.2 million records containing non-financial personal data, such as name, address or e-mail address, have been accessed. An official statement issued by Dixons Carphone observes: “We have no evidence that this information has left our systems or resulted in any fraud at this stage. We are contacting those whose non-financial personal data was accessed to inform them, apologise and give them advice on any protective steps they should take.”
Dixons Carphone has also informed the Information Commissioner’s Office (ICO) and the police about the breach episode.
Commenting on the latest high-profile business to suffer at the hands of the hackers, Dixons Carphone CEO Alex Baldock explained: “We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and, though we have currently no evidence of fraud as a result of these incidents, we are taking this occurrence extremely seriously. We’re determined to put this right and are taking steps to do so. We promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and we’re communicating directly with those affected. Cyber crime is a continual battle for business today, and we’re determined to tackle this fast-changing challenge.”
Reaction from the security sector
As you would expect, there has been plenty of comment on this data breach from security industry experts. Simon Cuthbert, head of international business at 8MAN by Protected Networks, outlined: “This breach is just another example of an organisation failing to protect its most important asset – data. The repercussions will likely be extensive in terms of financial damage, reputational damage and customer loyalty. Not to mention that this is the first breach case since the General Data Protection Regulation (GDPR) deadline passed on 25 May. It will be interesting, and noteworthy, to see how the ICO responds to this breach as it will likely set a precedent for those that follow, and certainly kick others into action if they haven’t already ensured that they’re meeting, or at least attempting to meet, the new requirements.”
Cuthbert added: “If Dixons Carphone is unable to provide information on who accessed the data, when and what they did with it, and deliver a report that evidences this, then the business stands a risk of really falling foul of the regulator. Organisations need to ensure they have visibility of who has access to what data, and what they’re doing with it, and demonstrate that they’re taking the necessary steps to protect sensitive information.”
Randhir Shinde, CEO at Galaxkey (the data management and protection company), informed Risk Xtra: “This breach shows that businesses cannot be complacent about data protection and management. Hackers are becoming increasingly inventive, often targeting hardware such as printers, scanners and credit card machines to breach systems. While most customers’ financial information has been protected in this instance, it’s concerning that 1.2 million have had their personal information compromised. Names, addresses and e-mail addresses may not sound threatening, but this is a clear invasion of privacy. What’s more, this information can be the first step for hackers and allow them to enter e-mail accounts and social media and, ultimately, do harm. I doubt that this would have happened if the data was encrypted. It’s time for businesses to wake up. They simply must protect key data.”
Peter Carlisle, vice-president (EMEA) at Thales eSecurity, said: “Cyber criminals are becoming smarter, better and faster, with this latest breach adding to a much longer list of previously targeted organisations. This has made trying to protect customer data an exhausting process, as sophisticated and well-funded hackers adapt quickly to new security measures. In the best effort to fight cyber crime head on, businesses need to take data security into their own hands, using a combination of preventative – not reactive – processes to throw the hackers off track. Once organisations know exactly where their data resides, they need to determine what’s worth defending and adopt an ‘encrypt everything’-style approach. Through layering protection methods, enterprises can easily control data wherever it sits in their business and successfully strengthen their security posture.”
Carlisle concluded: “With the GDPR now in full force, it’s no longer just a lack of customer trust and a tarnished reputation that organisations need to be worried about, but also the risk of losing €20 million or 4% of annual revenue, whichever happens to be the greater sum. It’s significant amount of money to lose for any business. Now, the perils of a data breach have become far more serious.”
Difficult to control
Paul Cant, vice-president (EMEA) at BMC Software, told Risk Xtra: “With the inordinate quantity of bytes of data continuing to grow at an exponential rate, it’s unsurprising that data breaches are now commonplace in the world of technology, but this is still not an excuse for them to happen. With the advent of the GDPR, organisations simply cannot afford to leave cyber security as a fleeting afterthought. Only by relentlessly examining internal processes can companies discover how their systems storing data are configured, how they’re connected and determine where any vulnerabilities sit. They can then piece together a plan to remediate those vulnerabilities and correct them, keeping the personal data of their customers secure.”
Dr Guy Bunker, senior vice-president of products at Clearswift, opined: “This breach shows how difficult it can be to get a breach under control. Dixons Carphone has been fined for security incidents in the past, and either the clean-up wasn’t thorough enough, or there remained holes in its security which haven’t been fixed. Either way, the outcome is the same: repeat breaches. As with any breach, there’s only evidence where there is evidence, and sophisticated cyber attackers can remove traces, often leaving behind only that which they want found in order to cover up other actions they’ve taken.”
Bunker continued: “When it comes to fraud, it’s difficult to prove whether this is the source or not and the impact of losing this data can have a long term impact. While a credit card can be easily cancelled and replaced, addresses and e-mail addresses will remain unchanged for days, weeks, months and years. When coupled with other personal information like a name and address, an e-mail address is fodder for phishing. As is the case with any breach made public, phishing scams will run riot asking people whether they were customers and to register information, etc. The advice here is to watch out for such e-mails and ignore them. If you’re concerned then call a known number, not necessarily one you receive through an e-mail communication.”
In conclusion, Bunker told Risk Xtra: “In addition to the reputational damage that comes with a data breach where payment information has been leaked, GDPR enforcements will also have a huge impact on Dixons Carphone. As well as having to compensate those who have had their sensitive information leaked, the organisation may have a fine of up to 4% of its global annual turnover levied upon it. For a company this size, that figure could be in the millions and has the potential to impact the future profitability of the organisation as a whole.”
Response from the ICO
In a statement on its website, the ICO writes: “An incident involving Dixons Carphone has been reported to us and we are liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers. Anyone concerned about lost data and how it may be used should follow the advice of Action Fraud. It is early in the investigation. We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it’s dealt with under the Data Protection Act 1998 or the Data Protection Act 2018.”
Mike Hulett, head of operations at the National Crime Agency’s National Cyber Crime Unit, said: “The National Crime Agency is leading the UK law enforcement response to the incident which has affected Dixons Carphone. We are working with partners including the National Cyber Security Centre, the Financial Conduct Authority and the ICO. Specialist officers from the National Cyber Crime Unit will be working with the company to secure evidence. The complexity of these enquiries means this is an investigation which will take time.”