Dixons Carphone, one of Europe’s largest electronics retailers, disclosed a data breach on Wednesday involving 5.9 million payment cards and 1.2 million personal records.
“As part of a review of our systems and data, we have determined that there has been unauthorised access to certain data held by the company,” the company said. The BBC reports that the hacking attempt traces back to July 2017. An investigation at the company is ongoing.
Dixons Carphone, known formerly as Dixons Retail, merged with British cellphone provider Carphone Warehouse in 2014. The company also operates the street-side home electronics stores Currys and PC World, often in the same location, as well as Dixons Travel stores. The company’s brand is a household name in the U.K., akin to Best Buy in the U.S.
Dixons said it has since secured its systems and has, as of yet, found no evidence of the illegally accessed data being used for fraud. The company has also been in contact with the police, as well as the U.K.’s data privacy and financial authorities—the Information Commissioner’s Office (ICO) and Financial Conduct Authority, respectively.
Alex Baldock, Dixon’s chief executive, said the company had “fallen short” in efforts to protect its customers data, but added: “We are determined to put this right and are taking steps to do so.” In addition to its investigation, those steps reportedly include communicating directly with those affected, beefing up security, and engaging with “leading cybersecurity experts.”
“Cyber crime is a continual battle for business today and we are determined to tackle this fast-changing challenge,” Baldock said.
This marks the first major data breach since the General Data Protection Regulations (GDPR), the European Union’s strict data privacy laws, went into effect. “There was a lot of speculation in the run-up to GDPR around the increase in fines and whether or not the ICO would issue heavy punitive penalties,” said Tony Pepper, CEO of Egress, an encryption services provider. “It’s likely there are going to be a lot of eyes on this case.”
But otherwise, experts say the damage—both to the victims and to Dixons’ brand—could be severe, though most urged patience. It remains unclear whether any of the data was actually put toward illicit use, they note. Only time will tell.
Trevor Reschke, a threat intelligence officer at data security firm Trusted Knight, suggested the stolen data could find its way into the hands of a wholesaler who would then shop it out piecemeal to “common street criminals.” “Once in the hands of the sellers,” he said, “a network of specialized criminal services: checkers, cloners, deeper fraud, re-shippers, and fake transactions services all step in to fill the needs of the criminals with the data, who may not have the required skill to take advantage of it.”
“I would advise anyone concerned keeps an eye on their bank accounts and watches out for obvious phishing attempts,” he said.
Geneva-based High-Tech Bridge CEO Ilia Kolochenko was far more dismissive of the breach’s impact: “Many similar breaches occur every day and alas remain unnoticed,” he said. “Unless we have evidence of malicious exploitation of the allegedly stolen data, no major detriment is imputable upon the victims.”
Dixons noted in its statement that approximately 5.8 of the 5.9 million payment cards unlawfully accessed included chip and pin protection. “The data accessed in respect of these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made,” Dixons said. Around 105,000 non-E.U. cards, which do not have chip or pin protection, may have been compromised, however.
Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, said that any attempt to brush off concerns about stolen cards with chips and pin codes suggests a “lack of knowledge about how these cards work and the risks.” Chip-and-pin cards can still be cloned, for instance, to void those measures.
“Obviously details are thin on the ground about precisely what happened right now and that means there are more questions than answers,” Galloway said. “The main question is how are they storing/transmitting this information? The answer to that will be key in determining what went on and how they are going to sort it out.”