[BreachExchange] Dixons Carphone admits huge data breach

Inga Goddijn inga at riskbasedsecurity.com
Wed Jun 13 10:19:43 EDT 2018


https://www.bbc.com/news/business-44465331

Dixons Carphone has admitted a huge data breach involving 5.9 million
payment cards and 1.2 million personal data records.
It is investigating the hacking attempt, which began in July last year.

Dixons Carphone said it had no evidence that any of the cards had been used
fraudulently following the breach.

There was "an attempt to compromise" 5.8 million credit and debit cards but
only 105,000 cards without chip-and-pin protection had been leaked, it said.

The hackers had tried to gain access to one of the processing systems of
Currys PC World and Dixons Travel stores, the firm said.

Dixons Carphone shares were down more than 3% in early afternoon trading.

A spokesperson for the National Cyber Security Centre said it was "working
with Dixons Carphone and other agencies to understand how this data breach
has affected people in the UK and advise on mitigation measures".

________________________________

Analysis: BBC technology correspondent Rory Cellan-Jones

On the face of it, this is a very serious incident.

Usually when companies report a data breach, they are very quick to
reassure us that while names, email addresses and login may have been
accessed, no payment information has been released.

This is not the case here, with Dixons admitting that hackers got access to
records of nearly six million payment cards.

The good news is that nearly all of them were protected by good old chip
and pin - and there is no evidence of any fraud relating to the 100,000
non-European cards which didn't have that protection.

But there are still questions for Dixons Carphone to answer.

Why has a hack that apparently happened nearly a year ago only been
revealed now?

And is there any connection to a previous data breach at Carphone in 2015?

Dixons insists that it only discovered this latest hack a week ago and it
has no connection with any previous incident.

But the UK Information Commissioner's Office (ICO), which fined Carphone
Warehouse £400,000 for the 2015 breach, will now be looking very closely at
this latest failing of the merged companies.

Luckily for Dixons, the incident happened before the new GDPR rules, which
promise much bigger fines, came into force.

________________________________

The 1.2 million personal data records accessed by the hackers consisted of
non-financial information such as names, addresses and email addresses.

Carphone Warehouse said it had no evidence that the information had left
its systems or resulted in any fraud, but it was contacting those affected
to advise them.

It added that it had brought in leading cyber-experts and added extra
security measures to its systems.

Dixons Carphone chief executive Alex Baldock said it was "extremely
disappointed" by the data breach and "sorry for any upset",

"The protection of our data has to be at the heart of our business, and
we've fallen short here.

"We've taken action to close off this unauthorised access and though we
have currently no evidence of fraud as a result of these incidents, we are
taking this extremely seriously," he added.

Tough challenges

Bryan Glick, editor in chief of Computer Weekly, told the BBC that the
breach was "right up there" as one of the biggest to date involving a UK
company.

However, he cautioned against any panic. "If you've not heard from Dixons
Carphone to warn you, the chances are you're OK," he said.

Carphone Warehouse is one of many High Street retailers feeling the strain
of tough economic challenges.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180613/e9ddf568/attachment.html>


More information about the BreachExchange mailing list