A 2017 breach at one of the largest consumer electronics retailers in Europe might have exposed 10 million records containing personal data.
On 31 July, Dixon’s Carphone issued an “Update on Investigation into Unauthorized Data Access.” The retailer explained in its statement it has reason to believe that unauthorized individuals might have accessed approximately 10 million records containing personal data in 2017. It clarified that these exposed records didn’t contain payment card or banking details. Even so, it found evidence with the help of forensic investigators that some of those records might have left its systems.
Dixons Carphone Chief Executive Alex Baldock explained in the statement that the company is focused on helping protect victims:
Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right. That’s included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today. As a precaution, we’re now also contacting all our customers to apologise and advise on the steps they can take to protect themselves.
This statement came less than two months after Dixon’s Carphone released a notice disclosing an instance of unauthorized data access. That incident, which is the same event discussed in the company’s updated notice, involved an attempt to expose 5.9 million payment cards, 5.8 million of which had chip and pin protection, as well as 1.2 million data records containing personal information. At the time, the retailer said it had no evidence that any data had left its systems and indicated it would be contacting affected customers soon.
The update also came more than half a year after the United Kingdom’s Information Commissioner’s Office (ICO) imposed a fine of £400,000, one of the largest penalties it’s every issued, against Dixon’s Carphone brand Carphone Warehouse for suffering a digital attack back in 2015.
These incidents highlight the need for retailers to strengthen the security of their digital systems. They can do this by applying Control 14 along with a few others of the Center for Internet Security’s Critical Security Controls. Learn how Tripwire can help organizations apply these security measures by clicking here.