Dixons Carphone reveals it has uncovered unauthorised access of customer’s data

REVEALED: The Midwestern city where Americans can make a fortune on property after prices surged 52% in a year, with plentiful skilled jobs, cute streets and lush greenery fueling country's hottest housing market
Shocking moment Las Vegas substitute teacher, 27, brawls with student 'who called him the n-word' in hallway filled with teenage onlookers
Missing non-binary heiress Mint Butterfield, 16, previously threatened suicide, cops reveal, as hunt for billionaire's daughter continues in Bay Area
How a boy's offer of one dollar to a 'homeless man' sparked an incredible friendship
Vacation chaos as major airline axes flights to four airports and fires 2,000 staff in major shake-up
Female California teacher, 46, pleads no contest to raping 14 year-old boy as he celebrated his eighth grade graduation
US cracks down on firearms exports after guns ended up in the hands of Mexican cartels
Ellen DeGeneres admits being branded the 'most hated person in America' was a huge blow to her ego
Utah 'Karen', 48, is charged with sexual battery 'for yanking down 19 year-old girl's skirt in steakhouse after complaining it was so short she could see the teen's pubic hair'
Wynonna Judd's wayward daughter flashes her middle fingers as she appears in Alabama court to beg judge for her release after exposing herself on a busy highway
KENNEDY: Will Kanye's hostage-in-hosiery Bianca Censori feature in his putrid pornos?
LIZ JONES: We were inseparable until she stole the boy I fancied, but when I tracked down my friend Karen 33 years later here's why it made me question my whole life...
Russia threatens to strike POLAND: Kremlin says NATO nukes deployed in the country will be a 'primary target' – as Belarus leader warns of ‘apocalypse’
How could you possibly let this go? Jaw-dropping 'ice castle' that looks just like the set of Disney's Frozen hits the market for $14 MILLION - complete with turrets and its very own MOAT
Biden, 81, forgets the date of January 6 riots at glitzy Westchester fundraiser held by Michael Douglas...then jokes about Trump bleaching his hair
Supreme Court poised to reject Trump's claims he is immune from prosecution but could delay his trial until AFTER the election following blockbuster clashes between justices
Keeping up with Kamala: Kim Kardashian tells VP she's 'super honored' to be at the White House and is 'here to help' six years after THAT meeting with Trump
'This man represents the majority of America': NYC construction worker goes viral after saying EXACTLY what he thinks of Biden following Trump's visit
Melania Trump's former press secretary claims Hope Hicks and Sarah Sanders called to see how the first lady was 'dealing' with sleazy Donald sex claims
Female Kamala Secret Service bodyguard who brawled with her colleagues previously filed $1M gender discrimination lawsuit against the Dallas Police Department
The truth about 'b*tchy' Brittany Mahomes: Taylor Swift's 'BFF' unmasked as 'a fake and disloyal opportunist' by insiders, as her 'many red flags' are finally exposed
Brittany Mahomes dazzles in a rhinestone cropped top alongside glamourous Dua Lipa as they leads stars at Time 100 Gala in NYC... after Taylor Swift's new BFF is labeled 'fake and disloyal'
Dermot Mulroney reveals he didn't work for a YEAR after My Best Friend's Wedding - and he blames the movie's poster
Cackling non-binary Columbia encampment leader says 'Zionists don't deserve to live' and brags that he'd beat one to death for 'threatening his physical safety in person'

Dixons Carphone has confirmed there has been unauthorised access of its data
Breach included details of 5.9m payment cards and 1.2m personal data records
Access was also gained to non-financial personal data, such as addresses
Were you affected by the hack? Email richard.spillett@mailonline.co.uk

By Cheyenne Roundtree and Richard Spillett for MailOnline

Published: 02:51 EDT, 13 June 2018 | Updated: 20:15 EDT, 13 June 2018

e-mail

257

View
comments

One of the worst British cyber attacks was only discovered after the hackers had been inside the system for almost a year.

Unbeknown to electronics giant Dixons Carphone, hackers were able to steal the bank details of 5.9million payment cards and the personal data records of a further 1.2million.

The major data breach involved shoppers at Currys PC World and Dixons Travel but bosses insist there is no sign of any related fraud.

Access was also gained to non-financial personal data, such as addresses, names and email information.

It comes just months after the company was fined £400,000 for a 2015 cyber attack which exposed the personal data of more than three million customers.

Retailer Dixons Carphone has become the latest victim of a cyber attack after revealing 5.9 million customer bank card details and 1.2 million personal data records were hacked

The retailer said there was a likely attempt to compromise millions of cards in a processing system for Currys PC World and Dixons Travel stores.

The retailer said 5.9million of the payment cards targeted were protected by chip and Pin, but that around 105,000 non-EU cards without chip and Pin protection were compromised.

The company is urging customers to take protective measures, but said there is no evidence of fraud on the cards at this stage.

It said the data accessed did not contain Pin codes, card verification values (CVV) or any authentication data allowing cardholder identification or a purchase to be made.

The group added it did not believe the personal data accessed had left the group's systems.

The hack could lead to the company becoming the latest to be fined by the information commissioner, after Yahoo were fined £250,000 over a breach involving 500,000 UK customers and TalkTalk were hit with a £400,000 after 150,000 customers' details were accessed.

Dixons Carphone chief executive Alex Baldock said: 'We are extremely disappointed and sorry for any upset this may cause.

'The protection of our data has to be at the heart of our business, and we've fallen short here.

'We've taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.'

He told the Daily Mail: 'One of the early things I did is ... launch a review of our systems and our data.

'As part of that review we determined that this breach had occurred.

'Even though the breach itself dates back to July last year we have got clarity on it in the past week.’

‘We are coming out early, very early, in the process.’

Mr Baldock described the hack as ‘a sophisticated attack’ using ‘advanced malware’. In a grovelling apology, he said: ‘It is extraordinarily disappointing and I am extremely sorry and I am unhappy we let ... our customers down.’

The scandal comes after Carphone Warehouse, now owned by Dixons Carphone, was fined £400,000 by the ICO in January following a hack hitting more than three million customers in 2015.

For the past 11 months, hackers have been able to access personal data, including addresses and phone numbers. Dixons said the hack occurred in one of the processing systems of Currys PC World and Dixons Travel stores.

The breach included details of 5.9 million payment cards and 1.2 million personal data records

Simon McCalla, of Nominet, which is responsible for the security of UK domain names, said the timing of the breach is all the worse considering the recently brought in rules on data protection.

He said: 'It's also alarming to see how long it took the company to respond to the breach, which allegedly began in July last year.

'As we're now nearly a year on, something clearly went wrong. With GDPR now in place, businesses need to tighten up their processes and ensure they have a plan in place to prevent these breaches, or risk paying a huge penalty.

'The company doesn't believe any customer data left its systems, but at this stage they can't be sure, especially as over 100,000 non-EU cards have been compromised.'

The Information Commissioner's Office is investigating and urged anyone who feared they were a victim of fraud to follow the advice of Action Fraud.

It is understood the breach took place before new rules on data protection were introduced in May, meaning the company would not have had to notify authorities within 72 hours.

Dixons Carphone says it will write to affected to customers and give them advice

However, lawyer Edward Parkes, from law firm Harcus Sinclair, said customers could still be entitled to compensation.

He said: 'If the breach is Dixons' fault, customers will inevitably want to be compensated for any damages and distress caused as a result of hackers being in possession of their financial data.

'The sum will not be large, somewhere in the range of £1,000 to £5,000, and possibly even higher if a customer's identity was stolen as a result.'

He warned that hackers cold now send out emails posing as Dixons, a practice known as 'phishing'.

Dixons hack Q&A: Information for customers

How can I find out if I'm affected?

Dixons says the vast majority of the cards involved - 5.8 million - have chip and pin protection and attackers have not gained access to pin codes, CCV (card verification value) security numbers or any authentication data which could enable them to identify the cardholder or make purchases.

However around 105,000 non-EU issued payment cards which do not have chip and pin protection have been compromised. Dixons says it immediately notified the card companies and banks, which are taking 'the appropriate measures to protect customers'.

Separately, 1.2 million records containing non-financial personal data, such as name, address or email address, have been accessed but Dixons says it has no evidence at this stage that this information has left its systems or resulted in any fraud.

Dixons Carphone is writing over the coming days to those customers whose personal data was breached, 'to inform them, to apologise, and to give them advice on any protective steps they should take'.

What is the advice from Dixons?

If you receive an unsolicited email, letter, text or phone call asking for personal information, never reveal any full passwords, login details or account numbers until you are certain of the identity of the person making the request.

If you think you have been a victim of fraud you should report it to Action Fraud, the UK's national fraud and internet crime reporting centre, on 0300 123 2040 or on the Action Fraud website.

Is there anything else I can do to protect myself?

Anyone concerned they could be at risk of fraud should consider changing their online passwords, monitor bank and other online accounts and be wary of emails regarding the breach as scammers may try to take advantage of it.

How can I prevent myself from falling victim to a scammer?

If you receive a call from anyone you are not sure about, do not give out any personal details or passwords and take steps to check their identity.

Ask them to give you details only the company they claim to be calling from would know - for example, details of your service contract or how much you pay per month.

If you still have concerns about the caller's identity, hang up and call the company back.

Bear in mind scammers may have access to more of your personal information than seems normal. So if you are at all suspicious hang up, look up the organisation's number and call it yourself.

Dixons breach is latest in a series of hacking attacks on British firms

News of the Dixons hack comes the day after Yahoo's British arm was fined £250,000 for taking two years to tell half a million users that their personal information had been harvested by hackers.

Globally the personal data of 500million international customers was taken, including more than 515,000 in Britain during the breach in 2014.

But it took the web giant two years to publicly admit this - meaning that users of the popular email service were in the dark for years.

Last night, the Information Commissioner's Office (ICO) accused the company of failing to take 'technical and organisational measures' to protect the data of 515,121 customers.

Hackers have repeatedly targeted British companies to access customers' data

It emerged last year that around 400,000 people in the UK may have had their information stolen following a cybersecurity breach at the credit monitoring firm Equifax.

The US company said an investigation had revealed that a file containing UK consumer information 'may potentially have been accessed'.

The data included names, dates of birth, email addresses and telephone numbers, but not not addresses, passwords or financial information, the company said.

In 2016, TalkTalk was hit with a record £400,000 fine for the security failings that led to the company being hacked in October 2015.

The Information Commissioner's Office said the attack 'could have been prevented if TalkTalk had taken basic steps to protect customers' information'.

More than 150,000 people of the internet service provider had personal information access, including sensitive financial data of more than 15,000 customers.