Dixons Carphone, a UK electronics retailer, has today announced a breach that involved 5.9 million payment cards and 1.2 million personal records.
According to an official Dixons Carphone spokesperson, the breach began in July 2017. The spokesperson also claims there’s nothing to suggest the breach was ongoing.
If this is the case, it will likely fall under the Data Protection Act 1998, not the EU’s new General Data Protection Regulation (GDPR).
However, in response to the announcement, the UK’s Information Commissioner’s Office (ICO) has stated, “It is early in the investigation. We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts.”
The maximum fine that can be imposed under the Data Protection Act 1998 is £500,000, however fines can increase to 20 million EUR or 4 percent of annual turnover (whichever is higher) under the GDPR.
Carphone Warehouse was also fined £400,000 by the Information Commissioner’s Office (ICO) in 2015 following a cyber-attack that compromised personal data of over 3 million customers and 1,000 employees.
The compromised data included historical payment card details for over 18,000 customers. The ICO also states that intruders were able to access Carphone Warehouse’s systems via an out-of-date WordPress installation.
According to a statement on the latest breach (PDF), 5.8 million of the 5.9 million cards compromised are protected by chip and pin.
Dixons Carphone claims the data accessed “contains neither pins codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made.”
However, it also states that 105,000 non-EU issued payment cards without chip and pin protection have been compromised. It claims it has no evidence of fraud relating to any of these cards, however it has contacted relevant card companies as a “precaution.”
It has also informed relevant authorities including the ICO, FCA and the police.
The 1.2 million personal records breached consist of email addresses, names and addresses. It claims it has no evidence that this data has left its systems and it’s contacting those affected to apologise and advise them of steps they can take to protect their personal data.
“We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here,” said Alex Baldock, Dixons Carphone CEO.