Dixons Carphone has been forced to admit that the mass data breach – which it claimed took place last year – affected up to 10 million customers, a huge increase on its original estimate of 1.2 million.
It said personal information, names, addresses and email addresses may have been accessed, but continues to insist that bank details were not accessed and that it can find no evidence the breach had resulted in any fraudulent activity.
The hackers did get access to records of 5.9 million payments cards, but nearly all of those were protected by the chip and pin system.
Dixons said it was “very sorry for any distress” caused, confirming it had drafted in leading cyber security experts and had put in further security measures to safeguard customer information.
Dixons Carphone chief executive Alex Baldock said: “Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right.
“That’s included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today.
“As a precaution, we’re now also contacting all our customers to apologise and advise on the steps they can take to protect themselves.”
The ICO is continuing its investigation into the issue and whether or not it continued after May 25 which would make it fall under the GDPR regime.
An ICO spokesperson said: “Dixons Carphone reported a data breach to the ICO in June. The company has now confirmed that the incident affected the personal data of 10 million records, which is significantly higher than initially stated.
“Our investigation into the incident is ongoing and we will take time to assess this new information. In the meantime, we would expect the company to alert all those affected in the UK as soon as possible and to take all steps necessary to reduce any potential harm to consumers.”
The Carphone Warehouse division was slapped with a joint record £400,000 fine in January over “multiple inadequacies” in its data security.
Dixons Carphone chief to treble data security budget
Dixons Carphone and the £400m data breach question
Dixons Carphone pummelled as hackers strike again
Carphone Warehouse rocked by £400,000 ICO data fine