UK-based electronics retailer Dixons Carphone, the company behind the Currys PC World, OneStopPhoneShop, and Carphone Warehouse brands, announced a security incident earlier today.
In a press release posted on its corporate website, the UK retailer admitted to a data breach that took place last year, and during which a yet to be identified intruder(s) accessed details about payment cards for 5.9 million Dixons Carphone customers.
The breach appears to have taken place “in one of the processing systems of Currys PC World and Dixons Travel stores,” the company said.
Most exposed cards protected by “chip and PIN” defenses
After analyzing the data accessed by the intruder, Dixons Carphone says that the vast majority of exposed payment card details —around 5.8 million— belonged to payment cards that featured chip and PIN protection, meaning the stolen data can’t be used without the PIN and card verification value (CVV) number (inscribed on the back of the card).
The company says that the rest of the exposed cards, around 105,000, belonged to individuals located in non-EU countries, and did not feature chip and PIN protection. This means the intruder might use them for making illegal online purchases or committing other forms of online fraud.
Dixons Carphone said it notified card companies of the breach, so they could take precautionary measures to protect customers.
“We have no evidence of any fraud on these cards as a result of this incident,” a company spokesperson said.
User data also accessed, but no evidence it was stolen
In addition to payment card details, the UK electronics retailer also said the intruder accessed the personal details of over 1.2 million customers. Exposed details include only non-financial personal data, such as names, addresses, or email addresses.
“We have no evidence that this information has left our systems,” the UK retailer said, adding that it started notifying each of the affected clients.
The same retailer suffered a similar breach in 2015. In the previous incident, a hacker accessed the personal details of 2.4 million customers and the payment card details of only 90,000.
While the actual breach might have taken place last year in July, questions remain about when the UK retailer learned of the incident.
“In light of these facts, Dixons Carphone’s decision to disclose – is rather laudable, albeit one may question the timeline of the disclosure,” said Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge. “Many other companies are much less courageous to tell the truth, as even in light of GDPR enforcement, the new law cannot monitor proper disclosure of inconspicuous data breaches.”
“We are extremely disappointed and sorry for any upset this may cause,” Dixons Carphone Chief Executive, Alex Baldock, said. “We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously. We are determined to put this right and are taking steps to do so; we promptly launched an
investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected.”
The UK’s GCHQ National Cyber Security Centre has also put out an alert regarding the incident, with links to pages where users can report fraud and related crimes.
Image credits: Elliott Brown