Dixons Carphone, the UK electronics and telecommunications retailer, has experienced a massive breach of payment card data. The payment card details of 5.9 million customers have been exposed and potentially stolen by hackers.
In addition to the Dixons, Dixons Travel, and Carphone Warehouse stores, the company also operates under the brand names Currys and PC World in the UK and under other brand names in Europe. The breach is believed to have occurred in July 2017.
During a review of its systems, the company discovered that an unauthorized individual had gained access to some of its data and had attempted to compromise the cards of 5.9 million customers. The company reports that the vast majority of those cards are protected with chip and pin authorization, although 105,000 non-EU issued payment cards lack those protection mechanisms, with those customers most at risk of fraud.
Steps have been taken to reduce the potential for fraud. The card issuers have been notified and the intrusion and potential theft of data have been reported to law enforcement, the Information Commissioners Office, and the Financial Conduct Authority. While payment card data were accessed, information that would allow the cards to be used – CVV codes and PINs were not compromised.
While investigating the breach, the company discovered that files containing the data of 1.2 million customers were also accessed. It is unclear if these data were accessed by the same attacker or if this was a separate breach.
The information in the files contained no financial information, although data such as names, addresses, and email addresses were potentially viewed and copied. Individuals affected by the breach will be notified and provided with information on the steps they can take to reduce risk.
Dixons Carphone reports that no evidence has been uncovered to suggest any data were stolen or have been misused by the individual(s) who accessed its systems at this point in time.
The breach – or breaches – were discovered just a few months after the company was fined £400,000 by the Information Commissioner’s Office for a 2015 breach affecting the Carphone Warehouse arm of its business. That incident resulted in the data of 3.3 million customers and 1,000 employees being accessed by a hacker. In that case, access was gained due to the failure to update a WordPress installation for six years.