Dixons Carphone, the major electrical and telecommunications retailer in Europe, has just confirmed a data breach attempt that occurred almost a year ago in the UK. According to the company’s press release, the security incident affected 5.9 million customer cards and 1.2 million personal records, involving names, addresses and emails, were compromised.
“The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorized access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously,” said Alex Baldock Dixons Carphone Chief Executive.
“We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected. Cybercrime is a continual battle for business today and we are determined to tackle this fast-changing challenge.”
Luckily, there is no evidence that the data stolen has been used for fraud or other illicit activities. The retailer says 5.8 million cards were in fact protected by chip and PIN so the compromised data did not store PIN numbers, card verification values or other authentication data. As a result, only 105,000 cards were affected because they were not issued in the European Union so they lacked the PIN protection. All card companies involved were immediately informed so they could reach out to their customers.
Even though the company insists the breach was detected only a week ago while performing a review of their systems and data, they still facing a major fine worth some £400m. The Dixons Carphone breach is considered the largest hack in UK history and raises concerns over the company’s security when handling customer data.
One question surely on everyone’s mind is whether the breach was in fact detected last week or Dixons Carphone just kept quiet all this time, considering the company experienced a similar breach in 2015. Regardless, the Information Commissioner’s Office is treating this as a GDPR breach, even though the security incident took place before the law came into effect. This would serve as an example for other companies that don’t take data privacy seriously and ignore GDPR compliance.
The reality is most companies and even some regulators are in fact not ready for GDPR, even though they’ve had two years to prepare and the law took effect on May 25. Seventeen of 24 authorities surveyed by Reuters said they lacked the proper resources to become GDPR compliant by the deadline, but expected the situation to improve in the near future.