When Dixons Carphone approached the UK Information Commissioner’s Office to report a suspected data breach in June, it was believed that around 1.2 million customers were affected. But with the assistance of the National Cyber Security Centre, investigations have revealed the incident to be ten times worse than thought.
Extensive forensic analysis has found that more than 10 million customer accounts have been compromised. Hackers appear to have accessed a vast amount of personal data including names, postal and delivery addresses and email addresses.
No sign of fraud. Yet.
When speaking to the press, Dixons Carphone management has been keen to stress that there is no sign of sensitive financial data like credit details being stolen. They also point out that there have not been any reports of fraud associated with the hacking as yet.
But with so many customer records having been exposed, there is always a risk that they will be used for fraudulent purposes at some point in the future. It is also important to note that although criminals would prefer to steal credit card details, they can still begin the process of identity theft using names and address data.
The actual hacking took place last year, so it seems unlikely that the criminals plan to use the data they accessed.
100,000 shoppers at risk
Dixons Carphone has also been keen to downplay another aspect of the ongoing data security investigation. A second, possibly unrelated, breach of the corporate payment processing system resulted in more than 5.9 million payment card details being stolen.
Analysis of the breach reveals that the vast majority (5.8m) of the exposed cards are protected by Chip and PIN technologies, making them virtually impossible to clone. A further 105,000 older cards are not as well protected and may still be used fraudulently.
There is also no sign that these card details were successfully exported from the Dixons Carphone systems – just that they have been accessed illegally by an unknown third party.
Will there be a massive GDPR fine?
The General Data Protection Regulation recently came into force, specifying potentially huge fines for any business that fails to properly protect personal information. If the breach is sufficiently extreme, these fines could reach €20m or more.
Because these incidents took place before GDPR came into force, Dixons Carphone are facing a maximum fine of £500,000. Still a significant penalty, but nowhere near as devastating.
I’m a Dixons Carphone customer – am I safe?
Dixons Carphone has made it quite clear that the security failings which led to the breach have now been addressed. They have also added new security measures to further strengthen their defences against future attack.
Will they fall victim to hackers again? It’s hard to know for sure. The embarrassment caused by this incident will help to ensure that Dixons Carphone treat customer data with greater care in future however.
Why not check your own PC security defences now? Download a free trial of Panda Dome to keep the hackers away from your personal data.