Dixons Carphone has suffered a major data breach involving 5.9 million payment cards and 1.2 million personal data records.
The incident began in July 2017, when attackers attempted to compromise payment cards in the processing system at Currys PC World and Dixons Travel. At this point, the major consumer electronics retailer said there was no evidence of any fraud.
In a second breach, personal customer data in the form of names, addresses and email addresses was accessed. However, Dixons Carphone again said that there is no evidence that the breach resulted in any fraudulent activity.
The retailer’s chief executive, Alex Baldock, has apologised for the data breach and admitted that the firm has failed its customers. The company has taken action to “close off this unauthorised access” and will be communicating directly with the affected customers.
This isn’t the first time
This isn’t the first time that the retailer has suffered a data breach. In 2015, the personal data of 2.4 million Dixons Carphone customers was affected. The data accessed included names, addresses, dates of birth, email addresses and bank details, as well as the encrypted card details of 90,000 people.
The ICO investigated the 2015 breach and fined Dixons Carphone £400,000 this January, which was one of the largest fines to date, for “multiple inadequacies” in its approach to data security.
With the General Data Protection Regulation (GDPR) now in effect, it is likely that any fine the ICO issues relating to this new breach will be significantly heavier, especially if the company has failed to implement appropriate measures since the 2015 incident.
However, even if it has significantly improved its data security practices since 2015, administrative fines might be the least of Dixons Carphone’s worries. Under the GDPR’s mandatory breach reporting regime, reputational damage is a significant threat for breached organisations, as is the possibility of legal action from data subjects if their rights have been infringed as a result of non-compliance with the Regulation.
Dixons Carphone shares fell more than 3% in early trading in light of the announcement, which is an additional blow after the company’s warning last month of a sharp fall in profits this year and plans to close 92 of its more than 700 Carphone Warehouse stores due to tough trading conditions.
It’s not too late to start your GDPR compliance journey
Data breaches can happen to any organisation at any time. Data security and GDPR compliance is a matter of urgency for all companies.