Intruders also accessed 1.2 million personal data records, such as names, addresses or email addresses, in what is shaping up to be one of Britain’s biggest data breaches involving a single company
United Kingdom-based electronics retailer Dixons Carphone has revealed a major data breach that involves 5.9 million payment card details and 1.2 million personal data records, according to the company’s statement and a BBC report.
Dixons Carphone said that a review of its systems and data has discovered “unauthorised access to certain data held by the company”. The firm said that, while an investigation is ongoing, it has found what it is calling “an attempt to compromise” 5.9 million cards in one of the processing systems of its Currys PC World and Dixons Travel stores.
Per BBC, the intrusion traces back to July 2017, but was not discovered until last week.
The retailer said that 5.8 million of the payment cards have chip and pin protection. “The data accessed in respect of these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made,” said the company. However, the incident has also compromised around 105,000 non-EU issued payment cards with no chip and pin protection.
To mitigate the risk of fraud, the retailer said that it has notified the relevant card companies, so that they can put measures in place to protect the cards’ owners. At the moment, there is no evidence that any of the cards had been used fraudulently following the breach, said the company.
Meanwhile, the personal data records that have been accessed by an attacker or attackers include names, addresses or email addresses. Again, according to the firm, there is no evidence of fraud as a result of the unauthorized access to this information.
“We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here,” the firm’s chief executive Alex Baldock said in the statement.
“We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected,” he added.
The Information Commissioner’s Office (ICO), which is the UK’s data protection watchdog, said that it is looking into the incident together with the National Cyber Security Centre (NCSC) and the Financial Conduct Authority (FCA).
In addition to Currys PC World and Dixons Travel, the retailer operates other well-known electronics brands, mainly in the UK. One of them, Carphone Warehouse, was slapped with a fine of £400,000 early this year after a breach in 2015.
Dixons Carphone has said that the two breaches are unrelated.