Dixons Carphone Breach Hits 5.9 Million Cards

Written by

Millions of Dixons Carphone customers have had their financial and personal data illegally accessed after a major breach at the UK company.

The high street retailer claimed in a notice today that “there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores.”

However, it was quick to add that 5.8 million of these cards had chip and PIN protection, and that the data stolen did not include pin codes, card verification values (CVV) or authentication data – making it more difficult for the hackers to monetize the breached data.

Only 105,000 non-EU issued payment cards are at risk as they aren’t chip and PIN protected, meaning they could be cloned.

“As a precaution we immediately notified the relevant card companies via our payment provider about all these cards so that they could take the appropriate measures to protect customers,” the firm said. “We have no evidence of any fraud on these cards as a result of this incident.”

The electronics retailer also admitted that hackers have accessed but not exfiltrated personal data on 1.2 million customers including names, addresses and email addresses.

“We have no evidence that this information has left our systems or has resulted in any fraud at this stage,” it confirmed.

Given the small number of affected cards and the fact that personal data did not leave the network, it’s unlikely the firm will be in for a major GDPR fine, unless it emerges that the hackers took advantage of serious deficiencies in the firm’s cyber-defenses.

Dixons Carphone CEO, Alex Baldock, revealed that the firm has added extra security measures, informed the relevant authorities and is communicating with affected customers.

“We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here,” he added. “We’ve taken action to close off this unauthorized access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.”

What’s hot on Infosecurity Magazine?