Dixons Carphone Breach: Major Hack Exposes 5.9 Million Credit Cards, 1.2 Million Customer Records

Electronics retailer Dixons Carphone has said that 1.2 million records holding non-financial personal data including customer names, home addresses and email addresses have been compromised in a data breach, while an attempt was also made to access 5.9 million credit cards.

The company, which houses a number of well-known brands including Currys PC World and Carphone Warehouse, said in a press release on Tuesday that it was now contacting the victims whose personal data was accessed to apologize, and said it will provide advice on what “protective steps they should take.” It said that an investigation into the suspected cyberattack remains ongoing but that relevant authorities—including the police and the U.K. data watchdog—have been notified.

Officials believe there was an attempt to access 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores, although they did not elaborate on specifics. The exact timescale of the incident also remains unclear; however, the BBC has said it began in July last year.

Dixons Carphone could not be reached for comment at the time of publication. An individual reached at Brunswick Group, an advisory firm, told Newsweek the relevant PR contacts were all busy.

In its public statement, the firm claimed 5.8 million of the targeted credit cards had security protection in place. It said that the records did not contain “pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made.” However, it said 105,000 non-EU issued payment cards which did not have chip and pin protection were stolen.

Dixons Carphone said that it had no evidence to suggest the accessed information had resulted in any fraud and indicated that the culprit’s attack route into its sensitive systems had been stopped.

“We are extremely disappointed and sorry for any upset this may cause,” said Dixons Carphone chief executive officer, Alex Baldock. “The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorized access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.

“We promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected,” Baldock added.

In a statement, the Information Commissioner’s Office (ICO), a British data breach watchdog that has the power to enforce fines and penalties, said: “An incident involving Dixons Carphone has been reported to us and we are liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers. Anyone concerned about lost data and how it may be used should follow the advice of Action Fraud.”

It is not the first data breach to hit a Dixons Carphone business. In January this year, Carphone Warehouse was fined £400,000 by the ICO after one of its computer systems was compromised by a cyberattack in 2015. The company’s failure to secure the system allowed unauthorized access to the personal data of over three million customers and 1,000 employees, it emerged at the time.

Updated | Additional info on firm's 2015 data breach penalty.

Join the Discussion