Another massive Data Breach affecting millions

Following their announcement on 13th June 2018 that hackers had accessed the personal details of 1.2m customers in 2017, Dixons Carphone  (owners of Curry PC World, Carphone Warehouse, Mobiles.co.uk and Dixons Travel (the airport tech retailer), amongst many others) have now upgraded that to confirm that c10m customer records have been compromised.

In a statement on 31st July 2018 they now advise that there is evidence that some data has left their systems, including dates of birth, addresses and phone numbers.

Whilst they claim that the stolen data files “do not contain payment card or bank account details and there is no evidence that any fraud has resulted” there is evidence that Hackers also had access to 5.9m payment cards used at Currys PC World and Dixons Travel with the unusual caveat that these are however ‘protected by Chip and Pin’ (some security experts have questioned how this can be regarded as protection when no chip and pin is needed to purchase online or to be used to directly access bank accounts).

Dixons Carphone said it had worked round the clock to add security measures and had informed the “relevant authorities” – including the Information Commissioner’s Office (ICO), the Financial Conduct Authority (FCA) and the police.

Following this further major breach of a UK retailer, the National Cyber Security Centre (NCSC) again urged companies to improve their data protection.

They also published guidance for Dixons Carphone customers (https://www.ncsc.gov.uk/guidance/ncsc-advice-dixons-carphone-plc-customers) following the initial announcement (1.2m) confirming ‘The National Crime Agency (NCA) is now leading the UK law enforcement response to the data breach, with specialist officers from the National Cyber Crime Unit (NCCU) working with the company to secure evidence. Due to the complexity of these enquiries, the investigation will take some time.’

Depending on how this event is viewed by the ICO (and indeed when the breach occurred) could this be the first time the GDPR fines are used in full?

In the 12 months to April 2017 Dixons Carphone reported revenue worldwide of £10.6bn and the maximum fine that could be imposed by the ICO under GDPR is €20m or 4% of global turnover (up from previous £500k) resulting in a maximum fine of £424m (profit in the year was £517m) under the GDPR rules.

If it is your job to protect your company from such a potentially devastating outcome Focus on Training can help with a wide range of Security, Cyber and Governance, and GDPR Courses including: