Dixons Carphone has revised up its estimate of how much customer data was stolen in a recently disclosed breach by almost nine million records.
The UK retailer revealed in June that hackers had accessed personal data on 1.2 million Currys PC World and Dixons Travel store customers — including names, addresses and email addresses.
However, in a new statement today it claimed that 10 million records containing personal data “may have been accessed” in the 2017 incident, whilst also admitting that “there is now evidence that some of this data may have left our systems.”
However, the high street giant was again at pains to point out that the compromised records “do not contain payment card or bank account details and there is no evidence that any fraud has resulted.”
Alongside the 1.2m records containing personal data, the original breach saw an ‘attempt’ to compromise 5.9m cards held in its systems. Dixons Carphone said that 5.8m of these had chip and PIN protection and that the stolen data did not include pin codes, card verification values (CVV) or authentication data — making it more difficult for the hackers to monetize although still exposing customers to a serious CNP fraud risk.
“Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right. That’s included closing off the unauthorized access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today,” said CEO Alex Baldock.
“As a precaution, we’re now also contacting all our customers to apologise and advise on the steps they can take to protect themselves. Again, we’re disappointed in having fallen short here, and very sorry for any distress we’ve caused our customers.”
Mark Adams, regional VP for UK & Ireland at Veeam, argued it was worrying that Dixons Carphone got the scale of the breach so wrong.
“These days the public care a lot about how their data is handled and by whom, and they want organizations to be more proactive in managing that data, so the size of the breach is going to translate into a much higher loss than many will imagine,” he added. “With so much competition for business, this will be an expensive breach with a long tail of damage for the organization's brand and reputation.”