Dixons Carphone data breach – millions put at risk of fraud

Once again a large company has suffered a huge data breach, putting millions of innocent customers at risk.

Customers of British popular high street stores Currys PC World, Carphone Warehouse, and Dixons Travel have been warned that a huge data breach has occurred involving 5.9 million payment cards and the personal data records of 1.2 million individuals.

Parent company Dixons Carphone said in a statement that an review of its internal systems uncovered a security breach at one of the processing systems used by Currys PC World and Dixons Travel stores.

According to reports, the breach – which has only just been made public – could have occurred as far back as 2016.

What makes the breach particularly serious is that often hacking incidents will involve the exposure of users’ personal information (such as names, email addresses, or even passwords) but *not* their payment information.

With the Dixons Carphone hack, however, things are different – with almost six million payment card details ending up in the hands of hackers.

The only silver lining on the cloud is that Dixons Carphone says that the majority of the breached cards have chip and pin protection:

5.8m of these cards have chip and pin protection. The data accessed in respect of these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made.

However, the firm admits that approximately 105,000 non-EU payment card details were not protected with chip and pin protection – potentially putting those consumers at greater risk of fraud.

Even if consumers’ credit card details are not at risk of being exploited, there are still dangers associated with the security breach.

For instance, Dixons Carphone has admitted that hackers also gained access to 1.2 million personal records containing non-financial information (such as names, addresses, and email addresses).

Past incidents have proven that criminals can be quick to exploit such information in follow-up attacks, perhaps pretending to be communications from the hacked company in an attempt to trick customers into handing over even more personal details that can then be used for the purposes of identity theft.

It’s easy to imagine, for instance, that customers may have found themselves on the receiving end of malicious spam or phishing attacks in the wake of the hack.

If all of this sounds somewhat familiar then you’re not wrong.

Three years ago, in 2015, Carphone Warehouse (which was then a separate company) warned that approximately three million customers had been put at risk after its IT systems had been breached by hackers.

That incident cost Carphone Warehouse £400,000 in the form of a fine from the Information Commissioner’s Office (ICO).

In the ICO’s report on that incident, Carphone Warehouse was criticised for its “multiple inadequacies” when it came to security and its failure to take adequate steps to protect customers’ personal information.

Little has been made public at present at precisely what the security failings were which allowed the hackers to gain access to the sensitive information in this latest breach.

But questions will now no doubt be asked as to whether the merged companies learned enough from the earlier hack and were taking appropriate steps to ensure that data security would be maintained.

Dixons Carphone Chief Executive, Alex Baldock, says the company is “extremely disappointed and sorry for any upset [the hack] may cause,” and shares in the company have dropped 3% today.

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Graham Cluley. Read the original post at: