GCHQ cybersecurity experts investigate Dixons Carphone data breach

Electronics retailer apologises for breach involving 5.9m customers’ bank card details

A branch of GCHQ, Britain’s intelligence and security service, is investigating one of the UK’s biggest data breaches at a single firm, involving unauthorised access to 5.9 million Dixons Carphone customers’ cards.

The National Cyber Security Centre said it was working alongside the retailer and other agencies after the attack, which also involved unauthorised access to 1.2m personal records of Dixons Carphone customers.

“Anyone concerned about fraud or lost data should contact Action Fraud and we recommend that people are vigilant against any suspicious activity on their bank accounts,” the NCSC said.

Dixons Carphone said it had identified the massive data breach while it was reviewing its systems and data. The consumer electronics firm said there was an attempt to compromise the cards in a processing system at Currys PC World and Dixons Travel, but said there was no evidence of fraud as a result of the incident.

In a second breach, personal data such as names, addresses or email addresses have been accessed. Again, Dixons said there was no evidence that it had resulted in fraud.

Alex Baldock, its chief executive, apologised for the data breach and admitted the company had failed its customers.

“We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business and we’ve fallen short here.

“We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.”

Baldock said the company had engaged cybersecurity experts to handle the matter and had added extra security measures to its systems.

The retailer will be writing over the coming days to those customers whose personal data was breached, “to inform them, to apologise, and to give them advice on any protective steps they should take”.

Of the 5.9m cards that were accessed illegally, 5.8m were chip and pin protected, and no pin codes, card verification values (CVV) or authentication data were accessed, meaning purchases could not be made.

However, about 105,000 payment cards from outside the EU and without chip and pin protection were accessed. The retailer said it had notified the banks concerned and they had not detected any fraudulent purchases on customer accounts.

Shares in Dixons Carphone fell as much as 6% at one point on Wednesday after the data breach was announced, as investors factored in a potentially steep fine for the company, as well as potential damage to the firm’s reputation.

The retailer said that while the data breach was only discovered over the past week, it occurred within the last year, before 25 May when the new European General Data Protection Regulation (GDPR) rules came into force.

Under the previous Data Protection Act rules, the maximum fine imposed would be £500,000.

Under the GDPR rules, firms could face a maximum of €20m (£17.6m) or 4% of global turnover, whichever is the greater.

Sign up to the daily Business Today email or follow Guardian Business on Twitter at @BusinessDesk

The independent regulator, the Information Commissioner’s Office, said it was investigating the breach alongside the NCSC and the Financial Conduct Authority.

A spokesman for the ICO said the investigation was at an early stage. He added: “We will look at when the incident happened and when it was discovered as part of our work, and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts.”

Alex Neill, a managing director at the consumer group Which?, said the security breach was a major concern.

“This massive breach will cause real worry to millions of customers and raises serious questions about how Dixons Carphone has been looking after customers’ data. It is critical the company moves quickly to ensure those affected get clear information about what has happened and what steps they should take to protect themselves.

“Anyone concerned they could be at risk of fraud should consider changing their online passwords, monitor bank and other online accounts and be wary of emails regarding the breach as scammers may try and take advantage of it.”

Dixons Carphone said its investigation into the cyber-attack had yet to identify the culprit or culprits. The retailer has informed the police and other relevant authorities.


Angela Monaghan

The GuardianTramp

Related Content

Article image
Dixons Carphone: 10m customers hit by data breach – investigation
Group initially estimated 1.2 million customers had personal data stolen in massive attack

Julia Kollewe

31, Jul, 2018 @7:36 AM

Article image
Dixons Carphone has bumper Christmas as online revenues soar
CEO Alex Baldock says Currys PC World owner is ‘winning online’ as shopping habits change in pandemic

Joanna Partridge

20, Jan, 2021 @9:33 AM

Article image
Dixons Carphone fined £500,000 for massive data breach
‘Systemic failures’ found in the retailer’s cybersecurity and management of customer data

Zoe Wood

09, Jan, 2020 @8:10 PM

Article image
British Airways data breach: what to do if you have been affected
From which payments have been compromised to future bookings and compensation

Staff and agencies

07, Sep, 2018 @7:55 AM

Article image
Dixons Carphone reveals big losses at mobile phone shops
Owner of Currys, PC World and Carphone Warehouse blames 22% profit fall on consumers delaying phone upgrades

Julia Kollewe

20, Jun, 2019 @7:19 AM

Article image
As technology takes over our lives, Dixons Carphone hopes to sell us the lot
New £3.8bn high street behemoth hopes to take advantage of the smartphone becoming the remote control of our lives

Juliette Garside

15, May, 2014 @11:49 AM

Article image
Black Friday: shoppers take to their mobile in search of best deals
Little sign of the frenzied in-store scenes of a few years ago, with most sales made online

Sarah Butler

23, Nov, 2018 @6:22 PM

Article image
Carphone Warehouse to shut 92 stores amid profits warning
Retailer vows to take action to tackle changing consumer habits in mobile phone market

Sarah Butler

29, May, 2018 @1:11 PM

Article image
Dixons Carphone warns on profits as customers keep phones for longer
Retailer says weak pound has made handsets more expensive, meaning that fewer people are getting upgrades

Julia Kollewe

24, Aug, 2017 @9:01 AM

Article image
Optic Nerve: millions of Yahoo webcam images intercepted by GCHQ

• Optic Nerve program collected Yahoo webcam images in bulk
• 1.8m users targeted by UK agency in six-month period alone
• Yahoo: 'A whole new level of violation of our users' privacy'
• Material included large quantity of sexually explicit images

Spencer Ackerman and James Ball

28, Feb, 2014 @10:31 AM