Dixons Carphone has admitted to another data breach. This is not good news for the company who was fined £400,000 in January for a previous data breach. A spokesperson for the company confirmed to Enterprise Times that initial investigations show that there is evidence that this started as far back as 2017 although it was only detected a few days ago.
The company says that it has already taken action to close off access to the data. It also believes that no data ever left its systems. With the investigation in its early phase, these statements may well be subject to change. With the data being accessible for almost a year, it would be a major surprise if some data hasn’t been exfiltrated.
In a statement Dixons Carphone Chief Executive, Alex Baldock, said: “We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.
“We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected. Cyber crime is a continual battle for business today and we are determined to tackle this fast-changing challenge.”
What has been accessed?
The breach is primarily focused on payment card data. The official statement says: “..there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores. However, 5.8m of these cards have chip and pin protection. The data accessed in respect of these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made.”
This is good news. The separation of the bits of data, especially the CVV should reduce the risk of fraud. However, chip and pin is irrelevant for cardholder not present (CNP) payments. It is also likely that criminals will seek to compare the card numbers with other data caches to see if they can identify the CVV.
The statement went on to say: “Approximately 105,000 non-EU issued payment cards which do not have chip and pin protection have been compromised. As a precaution we immediately notified the relevant card companies via our payment provider about all these cards so that they could take the appropriate measures to protect customers. We have no evidence of any fraud on these cards as a result of this incident.”
The problem here is the time gap between the attack starting and it being detected. Until all those card holders have carried out a details review of their cards, it is not possible to say that there has been no fraud since July 2017.
Not just about card data
Dixons Carphone also admitted that 1.2 million records containing personal data, such as name, address or email address, has been accessed. What it is not saying is if that data is related to any of the payment cards. If that is the case, hackers could have used that to create a fraud where the details and payment cards were used as proof of identity.
The company is saying that it is contacting all those affected.
What does the industry say?
There is nothing like a high profile breach to generate comment from security vendors. Within two hours of this story going live, Enterprise Times had received comment from more than 23 people. Here is a selection of those comments:
Bill Conner, CEO, SonicWall: ““As the cyber arms race continues to escalate, there is increasing pressure on governments and businesses to truly understand the nature of these attacks and have layered security in place to protect their businesses and their brands. With the volume and sophistication of attacks on the rise, governments and businesses need automated, real-time breach detection and prevention.”
Chris Boyd, Lead Malware Analyst at Malwarebytes comments: “Cancelling cards is always a pain, but the bigger issue is the personal data harvested by the criminals. The possibility of phishing attempts using this information is a good one, and people could be caught off guard if they can’t remember buying something from Dixons Carphone in the first place. Treating all communications with suspicion for the next few months is probably a good idea, especially in situations where any form of login details are required.”
Trevor Reschke, Threat Intelligence Office at Trusted Knight: “The data that has been compromised will most likely be sold or put on loan to a wholesaler who cuts the cream off the top and mixes and ages the rest of the data. This information is then parsed out in lumps to other wholesalers who sell it to the common street criminals who then use it. Once in the hands of the sellers, a network of specialized criminal services: checkers, cloners, deeper fraud, re-shippers, and fake transactions services all step in to fill the needs of the criminals with the data, who may not have the required skill to take advantage of it. Carphone Dixons will be in touch with anyone who has been impacted, but I would advise anyone concerned keeps an eye on their bank accounts and watches out for obvious phishing attempts.”
What does this mean
One of the big questions is will this be treated as a pre or post GDPR breach. Dixons Carphone is getting out ahead of this with the July 2017 date. That would immediately limit the scope of the ICO to a maximum fine of £500,000. Add that to the £400,000 from January and it will have an impact on the bottom line for the company.
It may be that the regulator does not go for the maximum penalty. In its judgement against Yahoo! UK Services Limited it specifically noted that the fine there would not cause hardship to the company. Dixons Carphone may use that to lower its potential fine. It has recently announced plans to close 92 of its stores. In addition, the Work and Pensions committee is worried that the recent share price fall could impact the company’s pension fund. This could all be taken into account by the regulator.
Much will depend on how bad the breach turns out to be. If there has been fraud or identity theft as a result of this breach, the regulator may have no choice but to come down hard. In addition, having already hit the company for £400,000 for a lesser breach, it may also have limited its room to manoeuvre.
Whatever happens, Dixons Carphone customers need to start looking back through their credit and debit card statements to identify any suspicious actions.