According to a statement made by the company, European electronics giant Dixons Carphone has suffered a serious data breach, or what it appears to be, two separate data breaches.
Dixons Carphone Official Statement on the Data Breach
As part of a review of our systems and data, we have determined that there has been unauthorised access to certain data held by the company. We promptly launched an investigation, engaged leading cyber security experts and added extra security measures to our systems. We have taken action to close off this access and have no evidence it is continuing.
The company says that there is no evidence to date of any fraudulent use of the data as result of the described incidents. The relevant authorities including the ICO, FCA and the police, have also been informed, the statement reads.
The multinational retailer owns and operates a number of famous brands and services in Europe, such as PC World, Carphone Warehouse, Currys, and Dixons Travel. Judging by their statement, in July 2017 there has been an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores. The investigation also unveiled that 1.2 million records containing non-financial personal details like name, address or email address have also been compromised. Even though the company says they were quick to launch an investigation, the data breaches are more than vexing.
The company also says that, out of the 5.9 million cards, 5.8 million have chip and pin protection in place. This means that the data accessed in respect of these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made. This leaves approximately 105,000 non-EU issued payment cards without chip and pin protection exposed and compromised.
As a precaution, Dixons Carphone immediately notified the relevant card companies via their payment provider about all these cards so that they could take the appropriate measures to protect customers, the statement says.
According to the company, only card numbers appear to have been exposed in the data breach, explaining that “the data accessed in respect of these cards contains neither PIN codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made”.
Even though this is considered good news, the stolen card details could still be abused in online fraud. The company has underlined that they haven’t seen any sings of illicit activities but the lack of proof doesn’t mean that there hasn’t been any crime. And if it hasn’t been any crime, who is to say that this crime won’t happen tomorrow?
Does GDPR Apply for Dixons Carphone Data Breach?
This is still to be decided since the data breach might date from July 2017. Nonetheless, organizations that violate GDPR are prone to fines of up to 4 percent of their annual global revenue or €20 million ($23 million), whichever amount is bigger. Other penalties may be put into action as well, including losing the organization’s ability to process people’s personal data.