Hackers have gained illegal access to 5.9 million credit cards and 1.2 million personal records stored by Currys PC World and Dixons Travel, Dixons Carphone announced this morning.
The UK retail giant, which also owns Carphone Warehouse, said it’s investigating two breaches that apparently occurred last year but were only discovered last week as part of a security review. According to the company, there’s no evidence that the stolen data has been used fraudulently.
Fortunately for Dixons Carphone, 5.8 million of the stolen credit cards were chip-and-PIN cards – and the company didn’t store the PIN or the three verification digits (CVV) from the back of the card. This means that it would be very hard for the hacker to use those credit cards to make fraudulent purchases.
For the remaining 105,000 of the credit cards, which were from outside the EU and not protected by a PIN, Dixons Carphone has notified the issuing banks.
The 1.2 million stolen personal records, which include names, addresses, and emails, are more troublesome: they’re personally identifiable data that could be used as the basis for identity theft and fraud. Over the coming days, the company will be writing to the customers whose personal data was breached, “to inform them, to apologise, and to give them advice on any protective steps they should take.”
You should contact your bank if you’re concerned about your credit card number being included in the breach – and read our guide on staying safe and protecting your financial details online!
As for how the two breaches occurred, Dixons Carphone has only revealed that the 5.9 million credit cards were obtained from a “processing system.” This suggests that a hacker might’ve subverted the company’s point of sale system and found a way of skimming credit card numbers. Hopefully it wasn’t a case of Dixons Carphone storing unencrypted credit card numbers in a database somewhere, which a hacker then gained access to.
Here comes GDPR
The share price of Dixons Carphone fell about 5% after the breaches were announced this morning. Investors were likely sizing up the potential damage of a big fine from the UK’s data protection watchdog, the Information Commissioners Office (ICO). Again, rather fortunately for the company, it would appear that the breaches occurred before the arrival of GDPR, so the maximum fine would be £500,000. Under the much stricter data protections of GDPR, the max fine for egregious abuse of personal data is up to 4% of a company’s global revenues or £20 million, whichever is larger.
A spokesperson for the ICO said: “An incident involving Dixons Carphone has been reported to us and we are liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers.”
In January this year, Carphone Warehouse was fined £400,000 by the ICO for a hack and data breach that occurred back in 2015. At the time, the ICO said that it had found “multiple inadequacies” in the company’s data security processes.
Moving forward, the retail group will presumably want to take a good look at their data security to reduce the number of breaches that occur.
Now read about whether mobile banking and banking apps are secure