Some 10m personal data records might have been affected by the breach at Dixons Carphone, the retailer admitted on Tuesday.
Dixons Carphone revealed the breach last month, saying that 1.2m personal data records had been affected. It warned that there had been an attempt by hackers to compromise 5.9m payment cards.
Further investigation revealed that the number of people affected by the 2017 breach could be 10 million. Dixons Carphone said: ‘Our investigation, which is now nearing completion, has identified that approximately 10m records containing personal data may have been accessed in 2017′.
Personal data at risk
When it first announced the breach in June, Dixons Carphone, which owns Carephone Warehouse and Currys PC World, said that most of the cards involved in the hack hadn’t been compromised. But 105,000 cards that had been issued outside the EU and didn’t have chip and Pin protection had been compromised.
Dixons Carphone explained: ‘While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details, and there is no evidence that any fraud has resulted.’
Why are more customers affected by the data breach?
So why has the number of people affected jumped so sharply? The new data protection regulations (GDPR), which came into force at the end of May, require organisations to report a data breach within 72 hours of becoming aware of it.
Investigating a data breach is a long process. Investigators have to identify:
- how hackers got access to the data
- what data they’ve accessed
- where the data has ended up
- how many people have been affected.
Then they must notify everyone.
It’s very likely that investigators won’t be able to identify exactly how many people have been hit in the 72 hours they have between discovering the breach and having to notify the Information Commissioner’s Office (ICO) and users.
Dixons has ‘added new security measures’
Alex Baldock, Dixons Carphone chief executive, said that it had closed off unauthorised access, added new security measures and launched an immediate investigation, ‘which has allowed us to build a fuller understanding of the incident that we’re updating today’.
Dixons Carphone said that its investigation, which has involved the police, the Financial Conduct Authority and the National Cyber Security Centre, is now nearing completion.
Which? response to data breach
Alex Neill, Which? managing director of home products and services, said: ‘Dixons Carphone customers will be alarmed to hear about this massive data breach and will be asking why it has taken so long for the company to uncover the extent of its security failure. It’s now critical that the company moves quickly to ensure those affected get clear information about what has happened and what steps they should take to protect themselves.
‘Anyone concerned they could be at risk of fraud should consider changing their online passwords, monitor bank and other online accounts and be wary of emails regarding the breach as scammers may try and take advantage of it.’
Your personal data rights
If you’ve been caught up in a breach, a company has clear obligations to you, which includes notifying you promptly, and providing you with the name and contact details of its data protection officer who can give you more information.
If you’re a Dixons Carphone customer, the company will be contacting you to apologise and offer advice on what steps you can take to protect yourself from hackers looking to take advantage of the stolen data.
Alex Baldock added: ‘We’re disappointed in having fallen short here, and very sorry for any distress we’ve caused our customers.’