Dixons Carphone has admitted a large data breach affecting 1.2m personal data records and 5.9m payment cards.
The data breach follows a hacking attempt to compromise cards in one of the processing systems the firm uses in its Currys PC World and Dixons Travel stores.
Dixons Carphone said its investigation is ongoing and it has informed the ICO, FCA and the police.
Payment cards compromised
The company believes approximately 105,000 non-EU-issued payments cards that do not have chip and pin protection have been compromised.
It said 5.8m of the credit and debit cards had chip and pin protection and that pin codes had not been leaked.
Dixons Carphone said it had no evidence that any of the cards had been used fraudulently following the breach.
Personal data accessed
Separately, the investigation into the hack found other records of non-financial personal data including names, home addresses and email addresses were also accessed.
Dixons Carphone said it has no evidence that this information left its systems or has resulted in any fraud at this stage.
Companies need to be held to account
Alex Neill, Which? managing director of home products and services, said: ‘This massive breach will cause real worry to millions of customers and raises serious questions about how Dixons Carphone has been looking after customers’ data.
‘It is critical that the company moves quickly to ensure those affected get clear information about what has happened and what steps they should take to protect themselves.
‘Data breaches are becoming more and more common, but consumers lack the powers they need to ensure companies are held to account. That is why the government should give independent bodies the power to seek collective redress on behalf of affected customers when a company has failed to meet its data protection obligations.
‘Anyone concerned they could be at risk of fraud should consider changing their online passwords, monitor bank and other online accounts and be wary of emails regarding the breach as scammers may try and take advantage of it.’
Your rights when there’s a data breach
If there is a serious breach of your personal data that is likely to result in a high risk to your rights and freedoms, in most circumstances the company is obligated under GDPR to tell you without undue delay.
The company has data protection procedures it must take if there’s been a breach, which includes providing you with the name and contact details of its data protection officer who can provide more information.
Dixons Carphone has said it is contacting its customers affected by the personal data breach to inform them, to apologise and to give advice on protective steps they should take.
If you’ve been directly affected by the breach, you should complain to the company for losing your data and seek compensation for any financial damage or distress caused.
Steps to tackle fraud attempts
If you become aware that an organisation has lost your personal data, there are steps you can take:
- Change your passwords If you use the same or similar passwords across multiple accounts, change your passwords as soon as possible.
- Keep a watchful eye on your bank account If you see anything unusual in the next few months, contact your bank immediately and explain that you’ve been the victim of fraud.
- Be vigilant of scam attempts Bear in mind that scammers may have access to more of your personal information after a breach, so stay on guard and report any attempts to Action Fraud.
Dixons ‘sorry for upset’
Dixons Carphone chief executive, Alex Baldock, said: ‘We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here.
‘We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.
‘We are determined to put this right and are taking steps to do so. We promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected.’