Dixons Carphone has disclosed a massive data breach that saw the compromise of 5.9 million customer cards and 1.2 million personal records. The consumer electronics retailer said it discovered "unauthorized access" to certain data held by the company as part of a review of its systems and data, following which it launched an investigation.
The company determined there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores. While 5.8 million of these cards have chip and pin protection, about 105,000 payment cards from outside the EU without chip and pin protection were compromised in the breach.
"The data accessed in respect to these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made," Dixons Carphone said in a statement. "As a precaution we immediately notified the relevant card companies via our payment provider about all these cards so that they could take the appropriate measures to protect customers."
The company said there is currently no evidence of fraud on these cards as a result of this incident.
The investigation also revealed that 1.2 million personal records containing non-financial data such as names, addresses or email addresses were accessed. The company reiterated that there is no evidence that it resulted in fraud.
“We are extremely disappointed and sorry for any upset this may cause," Dixons Carphone CEO Alex Baldock said in a statement. "The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously."
The company said the breach was discovered as part of a review of its systems and data. However, it did not specify when its systems were compromised. However, the company said the hack began in July last year.
Baldock said the company has engaged cybersecurity experts to assist in the investigation and has added extra security measures to its systems.
"We are determined to put this right and are taking steps to do so," he said. "Cyber crime is a continual battle for business today and we are determined to tackle this fast-changing challenge.”
The retailer has notified relevant authorities including the police, Information Commissioner's Office and the Financial Conduct Authority.
"An incident involving Dixons Carphone has been reported to us and we are liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers," an ICO spokesperson said. “Anyone concerned about lost data and how it may be used should follow the advice of Action Fraud.”
The incident could also leave the company open to a massive fine, given the new European General Data Protection Regulation (GDPR) rules that recently came into force.
According to the new data protection rules, companies must report any security incidents involving personal data to their data protection authority within 72 hours of them becoming aware of it. Failure to do so can attract major fines amounting to €20 million or 4% of a company's global annual turnover, whichever is higher.