Dixons Carphone Breach involving 1.2m customers details and 5.9m payment cards.
In January 2018 Carphone Warehouse received a £400,000 fine as a result of a breach in 2015, six months later Dixons Carphone is reporting that it has suffered another incident.
Dixons Carphone have issued a statement saying that they are currently investigating breach which indicates that there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores. They report that the data accessed in respect of these cards ‘contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made’ and that relevant card companies have been contacted via their payment provider so that they could take the appropriate measures to protect customers.
Their investigation has also found that 1.2m records containing personal data, such as name, address or email address, have been accessed. Personal data such as this is often harvested by criminals and used in phishing attacks which could catch those affected off guard and leave them vulnerable to exploits.
An ICO spokesperson said:
“It is early in the investigation. We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts.”
Dixons Carphone Chief Executive, Alex Baldock, said:
“We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here… Cyber crime is a continual battle for business today and we are determined to tackle this fast-changing challenge.”
Carphone Warehouse suffered a breach in 2015 which placed data of 3 million customers and 1000 employees at risk.
The ICO’s investigation found serious failures in the security of the companies systems including out of date Word Press software and insufficient routine security testing. the investigation also found inadequate measures in place to identify and purge historic data.
Of the 2015 breach Information Commissioner Elizabeth Denham said:
“A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.
“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”