A consumer electronics retailer has confirmed a data breach attempt to compromise the details of 5.9 million payment cards.
On 13 June, Dixons Carphone released a notice disclosing its investigation into an instance of unauthorized data access. The company came across the suspicious activity while reviewing its systems and data. Subsequently, it contacted security experts to help determine what happened.
The investigation revealed that unknown individuals attempted to compromise 5.9 million payment cards found in the processing systems of Currys PC World and Dixons Travel, which are subsidiaries of Dixons Carphone. Most of those cards, the statement explained, came equipped with chip-and-pin protection, with potentially affected data not containing customers’ PINs, card verification values (CVVs) or authentication data.
Additionally, Dixons Carphone found evidence that unauthorized data access compromised 105,000 non-EU issued payment cards lacking chip-and-pin protection along with 1.2 million records containing personally identifiable information (PII) including names, physical addresses and email addresses. The company observed no indication that any of that data left its systems. But out of an abundance of caution, it contacted card providers to help them protect affected customers. It also began contacting those whose non-financial information might have been breached.
Alex Baldock, chief executive for Dixons Carphone, apologized in the statement and said he was “extremely disappointed” that the incident occurred:
The protection of our data has to be at the heart of our business, and we’ve fallen short here…. We are determined to put this right and are taking steps to do so…. Cyber crime is a continual battle for business today and we are determined to tackle this fast – changing challenge.
The United Kingdom’s Information Commissioner’s Office (ICO) confirmed it’s heard from Dixons Carphone with respect to this latest incident.
“An incident involving Dixons Carphone has been reported to us and we are liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers,” ICO wrote in a statement. “Anyone concerned about lost data and how it may be used should follow the advice of Action Fraud.”
News of this unauthorized data access follows less than a month after the ICO fined the University of Greenwich £120,000 for a “serious” security breach of personal data.