Incident Of The Week: U.K. Telecom Retail Breach Exposes 5.9M Records

Retailer Dixons Carphone Announces Data Breach



Dan Gunderman
06/15/2018

In the dynamic world of cyber security, breaches are both tightly guarded and, sadly, imminent.

Combing through data, market research and threat-defense efforts taken by enterprises can be a daunting task. Here at Cyber Security Hub, we both track the latest industry news and make it more navigable for the IT professional. CSHub coverage extends outwards – as it helps enterprises batten down their proverbial hatches.

In this edition of “Incident of the Week,” we examine a data breach at Dixons Carphone, a British electronics company. The event in question allegedly involved 5.9 million payment cards and 1.2 million personal data records.

The exposure of personally identifiable information (PII) has prompted an internal investigation. The company said this offensive began in July 2017, according to the BBC.

While the threat actor(s) in question attempted to compromise 5.8 million cards, a lesser 105,000 cards without chip-and-pin protection were leaked. These black hats allegedly attempted to enter the company’s processing systems.

See Related: Incident Of The Week: Top Crypto Exchange Hit With DDoS Attack

The victimized organization said there is no evidence that the cards have been used fraudulently. Nevertheless, the company’s shares dipped 3% on Wednesday.

The 1.2 million personal data records that hackers tapped into reportedly held information such as name, address and email address.

The U.K.-based National Cyber Security Centre stated it was working with Dixons Carphone and others to grasp the totality of the breach, and ways it affects U.K. citizens. What’s more, Carphone Warehouse said there is no indication that information left its systems, but that it is contacting affected customers.


While the breach occurred in 2017, the company said it discovered the event just last week.

Alex Baldock, Dixons Carphone chief executive, indicated that he was “extremely disappointed” about the data mishap.

According to the BBC, Baldock said, “The protection of our data has to be at the heart of our business, and we’ve fallen short here.”

He said the company has taken action to curb the unauthorized access.

The nation’s Information Commissioner’s Office leveled a £400,000 fine against Carphone Warehouse – which merged with Dixons in 2014 – for a 2015 cyber-incident.

See Related: Incident Of The Week: Ticketfly Hacked, Engineers Pull Site Offline

One payment mechanism that bodes well for Dixons Carphone customers is chip-and-pin technology – something that has largely been embraced within the European Union. Because of the EMV chip technology, compromised cards cannot be used without an additional code.

While the breach was announced this week, it occurred before the May rollout of the General Data Protection Regulation (GDPR). This means the organization may be open to a £500,000 fine – versus a steeper €20 million fine (or 4% turnover) under the careful watch of GDPR. However, regulators may leverage expanded investigatory powers granted by GDPR, the Financial Times points out.

Stay tuned to the Cyber Security Hub for continued coverage of data security, breaches, privacy, regulations and more!