Dixons Carphone Warehouse involved in huge data breach

Dixons Carphone Warehouse involved in huge data breach

The Dixons Carphone Warehouse have announced they are investigating a July 2017 cyber-breach involving 7 million customer records, including personal and financial data. This follows on the heels of a 2015 incident which incurred a £400k fine. If prosecuted under the new GDPR rules, the fine could reach an eye watering £420 million.

The 2015 incident involved out of date WordPress software, and whilst the cause of the latest breach is currently unknown, it does highlight the danger to organisations of cyber-crime and the need to complete data protection impact assessments on not just current but also legacy systems. Failure to consider data protection, not employing the latest security methods, and non-adherence to a transparent accountability framework, mean that when a breach does occur, there are no mitigating factors and the resulting fines will reach business-threatening proportions.

The situation is neatly summed up by AiM Director Steve Ackland: ‘It is time for each and every organisation to wise up to their responsibilities and exposure and take action if adequate long-term cyber security and data protection measures are not in place’.

Facts:

  • They were hacked around July last year; discovered 1 week ago
  • The hackers had tried to gain access to one of the processing systems of Currys PC World and Dixons Travel stores
  • There was “an attempt to compromise” 5.8 million credit and debit cards but only 105,000 cards (non-European) without chip-and-pin protection had been leaked
  • No evidence cards used fraudulently following the breach
  • 1.2 million personal data records, including names, addresses and email addresses
  • National Cyber Security Centre said it was “working with Dixons Carphone and other agencies to understand how this data breach has affected people in the UK and advise on mitigation measures”
  • ICO to determine if there is there any connection to a previous data breach at Carphone Warehouse in 2015 (fined £400k); Hackers gained unauthorised access to the personal data of more than three million customers and 1,000 employees during the cyber-attack
  • Data accessed in 2015 breach included:
    • Customer data names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, historical payment card details
    • Carphone Warehouse employees’ names, phone numbers, postcodes, and car registrations
  • The hackers, using valid login credentials, were able to access the computer system using an out-of-date WordPress software
  • Dixons insist there is no connection to the previous incident

The ICO are investigating if the breach falls under the GDPR or DPA; the latter, which is more likely, will have a maximum fine of £500k, the former £420 million.

Key elements:

  • Previous hack in 2015 (out of date WordPress software)
  • Second hack in July 2017 (not known if related to the first breach)
  • 7 million total records impacted
  • Method of hack as yet unknown
  • 11 month delay in detecting breach
  • Potential £420m fine

To find out about how AiM can help your company get GDPR compliant, stay compliant, and be protected against data breaches, click here.