Dixons Carphone cyberbreach affects millions of customers

UK retailer Dixons Carphone has revealed it suffered a cyberattack which compromised data belonging to millions of customers.

The company said it had determined that there had been unauthorised access to certain data, discovered as part of a review into the firm’s systems and data – although there had been no evidence of any fraudulent use of that data.

An investigation – which is ongoing – has indicated that there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores.

In a statement, the company said 5.8m of those cards had chip and pin protection.

It said: “The data accessed in respect of these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made.

“Approximately 105,000 non-EU issued payment cards which do not have chip and pin protection have been compromised.

“As a precaution we immediately notified the relevant card companies via our payment provider about all these cards so that they could take the appropriate measures to protect customers.”

There was no evidence of any fraud on these cards as a result of the incident, the statement said.

But the investigation has also found that 1.2m records containing non-financial personal data, such as name, address or email address, have been accessed.

“We have no evidence that this information has left our systems or has resulted in any fraud at this stage,” the statement said.

“We are contacting those whose non-financial personal data was accessed to inform them, to apologise, and to give them advice on any protective steps they should take.”

Dixons Carphone Chief Executive, Alex Baldock, said the firm was ‘extremely disappointed and sorry’ for any upset the incident might have caused.

He said: “The protection of our data has to be at the heart of our business and we’ve fallen short here.

“We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.

“We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cybersecurity experts, added extra security measures to our systems and will be communicating directly with those affected.”

The firm has informed the relevant authorities including the ICO, FCA and the police.

Mr Baldock added: “Cybercrime is a continual battle for business today and we are determined to tackle this fast-changing challenge.”

Industry experts have offered advice to organisations on the subject of data breaches.

David Rushmer, Senior Threat Researcher at Cylance

The majority of organisations operate under the security versus usability paradigm that suggests a trade-off between the two; increased security decreases usability and vice versa. Equally data storage methods are pretty varied. One organisation may choose to store it internally where as others opt to use a third party.

In order to protect customer data, the best option for organisations currently is to adopt ‘privacy by design’ where systems are built from the ground up with privacy, and thereby data protection, as the focal point. While there are arguments that it might not work or it will decrease usability, it is currently the best solution available to protecting data.

Any organisation moving forward has to inform you what they are doing with your data. The best thing any consumer can do is read and understand what data they are sharing, what the organisation intends to do with it and where it is being held. Furthermore, any consumer, certainly within the EU, should read up on what the GDPR means and what rights it offers them.”

Adam Brown, Manager of Security Solutions at Synopsys

Data is everywhere and it can be very difficult to keep track of sensitive data as it traverses an organisation. It can pass through insecure channels unintentionally, be subject to risky processes or end up in a quiet enclave / disused system forgotten for years.

Credit card data these days is well protected due to the prescriptive requirements of the PCI council, however that in itself can be an issue. Prescriptive approaches inspire checkbox mentalities. To protect data, a data centric approach would maintain focus on our most critical data assets in an organisation.

No one thing can fix problems like these. In reality, data security needs to be a boardroom subject. Direction from the top is the most effective way to set up a deliberate and purposeful security initiative. Successful manifestations of this have a software security group with clear direction, underpinned by a satellite team. Synopsys has observed that effective programmes have 1.6 software security group members per 100 developers.

As for consumers, they can only be vigilant for fraudulent transactions if they have had dealings with any of the affected group companies.”

Eyal Benishti, CEO and Founder, IRONSCALES

When we see any data breach, it’s the organisation’s customers that are put in the firing line having had their information disclosed to criminals. In the coming days and months, now that this breach has become public knowledge, it’s likely that we will see a major uptick in criminals looking to capitalise on this breach, even if they weren’t the original hackers, by sending scam messages to consumers hoping to trick one or two into believing the malicious communication and being tricked into giving away even more information.

Things to look out for will be messages purporting to be from Dixons Carphone offering free credit monitoring services by clicking links which instead will give away even more personal information to the fraudsters. As payment card data has been affected, we might even see criminals trying to spoof users’ banks in a bid to get users to hand disclose the three CVV numbers from the back of cards in the hope of getting this information to complete the user’s card record, messages might encourage them to apply for a new card or even persuade them to download a malicious program in the guise of monitoring software purported to help protect them.

Another avenue criminals will almost certainly look to exploit is social media with angler phishing scams. In these instances, criminals will create fake social accounts that mimic an affected brand – in this case Dixons Carphone, and when a consumer airs their grievances or looks for support by tagging the real account profile, the scammer will intercept the communication and contact the user to offer ‘help and reassurance’ in a bid to lure them to a phishing site or call a fake helpline etc.

Vigilance will be key in the coming days and months and if anything arrives into a user’s mailbox, they receive an SMS message, or are contacted by a social media profile, it’s imperative this interactions are viewed with caution and the messages scrutinised. If in any doubt, check it with the sending organisation before clicking any links, downloading any software, or calling any of the numbers offered.

Browse our latest issue

Intelligent CISO

View Magazine Archive