Threat Actor: Unknown | Unknown
Victim: Dixons Carphone | Dixons Carphone
Price: Not specified
Exfiltrated Data Type: Customer data
Additional Information:
- Dixons Carphone, a UK multinational telecommunications company, announced on the 13th that it is investigating a data breach where customer data has been illegally accessed.
- The breach affected approximately 5.9 million cards in the processing systems of Currys PC World and Dixons Travel stores. However, 5.8 million of these cards have chip and PIN protection, and the accessed data does not contain PIN codes, card verification values (CVV), or any authentication data enabling cardholder identification or purchases.
- Around 105,000 non-EU issued payment cards without chip and PIN protection were compromised.
- The relevant card companies were immediately notified to take appropriate measures to protect customers.
- No evidence of fraud on the compromised cards has been found so far.
- The Information Commissioner’s Office (ICO) is investigating the incident under the Data Protection Acts of 1998 and 2018.
- Ilia Kolochenko, CEO and founder of Cyber Security company High-Tech Bridge, praised Dixons Carphone’s decision to disclose the breach but questioned the timeline of the disclosure.
- Dixons Carphone is collaborating with the National Cyber Security Center (NCSC), financial regulators (FCA), data protection regulators (ICO), and cybersecurity experts.
- If the ICO finds that Dixons Carphone failed to protect customer data, hefty fines may be imposed.
Dixons Carphone, a well-known UK multinational telecommunications company, announced on the 13th that it is investigating a lot of customer data has been illegally accessed. The official description of the incident was that
“Our investigation is ongoing and currently indicates that there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores. However, 5.8 million of these cards have chip and PIN protection. The data accessed in respect of these cards contains neither PIN codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made. Approximately 105,000 non-EU issued payment cards which do not have chip and PIN protection have been compromised. As a precaution, we immediately notified the relevant card companies via our payment provider about all these cards so that they could take the appropriate measures to protect customers. We have no evidence of any fraud on these cards as a result of this incident.“
The ICO stated that it did not provide any information. The relevant spokesperson said: “We will look at when the incident happened and when it was discovered as part of our work, and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts.”
In addition to the general concerns, there are also people who praised the Dixons Carphone statement. Ilia Kolochenko, CEO and founder of the high-tech bridge company Cyber Security, said: “With over a billion of compromised records last year, I think this particular incident is of small importance. Many similar breaches occur every day and alas remain unnoticed. Unless we have evidence of malicious exploitation of the allegedly stolen data, no major detriment is imputable upon the victims. In light of these facts, Dixons Carphone’s decision to disclose – is rather laudable, albeit one may question the timeline of the disclosure. Many other companies are much less courageous to tell the truth, as even in light of GDPR enforcement, the new law cannot monitor proper disclosure of inconspicuous data breaches.”
However, in fact, no one can guarantee that these leaked data will not have a negative impact in the future. When a more significant loss occurs, the victim is likely to be an innocent individual. Dixons Carphone is currently working with the National Cyber Security Center (NCSC) in the UK to collaborate with financial regulators (FCA), data protection regulators (ICO) and leading cybersecurity experts. If ICO finds that Dixons Carphone carelessly protects customer data, it may impose hefty fines. Due to the particular nature of the time node, it is believed that many companies and cyber security industry personnel are watching the event processing process. Follow-up events are worthy of attention.
However, in fact, no one can guarantee that these leaked data will not have a negative impact in the future. When a more significant loss occurs, the victim is likely to be an innocent individual. Dixons Carphone is currently working with the National Cyber Security Center (NCSC) in the UK to collaborate with financial regulators (FCA), data protection regulators (ICO) and leading cybersecurity experts. If ICO finds that Dixons Carphone carelessly protects customer data, it may impose hefty fines. Due to the particular nature of the time node, it is believed that many companies and cyber security industry personnel are watching the event processing process. Follow-up events are worthy of attention.
Source: securityweek
Original Source: https://securityonline.info/british-dixons-carphone-announces-serious-data-breaches/