Dixons Carphone – whose Carphone Warehouse division was slapped with a joint record £400,000 fine in January over “multiple inadequacies” in its data security – has admitted yet another mega data breach involving 5.9 million payment cards and 1.2 million personal data records.
The company has admitted the latest breach happened “in the past year” but has not said why it is only just telling customers. It insists that 5.8 million of the credit and debit cards had chip-and-pin protection and that pin codes had not leaked, however, about 105,000 non-EU cards, which were not chip-and-pin, had been compromised.
Dixons Carphone claims there is no evidence that any of the cards had been used fraudulently following the breach.
The hackers had tried to gain access to one of the processing systems of Currys PC World and Dixons Travel stores, the firm said.
Dixons Carphone chief executive Alex Baldock said the company was “extremely disappointed” by the data breach and “sorry for any upset”.
He added: “The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.”
The Information Commissioner’s Office confirmed it is investigating the issue.
In January, the ICO launched a scathing attack on Carphone Warehouse after the cyber-attack of 2015 allowed unauthorised access to the personal data of over 3 million customers and 1,000 employees.
The compromised customer data included names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, historical payment card details. The records for some Carphone Warehouse employees, including name, phone numbers, postcode, and car registration were also accessed.
At the time, Information Commissioner Elizabeth Denham said: “A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.
“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
Following a detailed investigation, the ICO identified what it described as “multiple inadequacies” in Carphone Warehouse’s approach to data security and determined that the company had failed to take adequate steps to protect the personal information.
Carphone Warehouse rocked by £400,000 ICO data fine
ICO ‘enquires’ about Carphone hack
Scammers access Virgin Media data for phishing attack
TalkTalk fined £100,000 over India call centre failings
25 million UK adults in the dark over theft of their data
Stephen Fry on alert as toffs’ data is stolen from club
Uber faces long arm of the law over 64m data breach
Finance firms face sustained attack on their data vaults
FCA launches investigation into Equifax breach farce