Little more than three years since its previous security incident, electronics retailer Dixons Carphone has admitted to a data breach compromising 5.9 million customer cards and 1.2 million personal records – making it the biggest online data breach in UK history.
In a statement released on Wednesday, the retail giant revealed it had identified the colossal breach while it was reviewing its systems and data.
Newly appointed chief executive Alex Baldock admitted the group had “fallen short” of its responsibility to protect customers’ data, adding that “cyber crime is a continual battle for business today and we are determined to tackle this fast-changing challenge.”
Although there is no evidence of fraud as a result of the incident, consumer watchdog Which? said the breach “raises serious questions” about how Dixons Carphone handles customer data.
Shares plummeted by as much as 6% following the revelation – a blow following the strong revenue growth indicated in the company’s recent trading report, which was released just two weeks ago.
The first of the GDPR mega-fines?
Although the breach occurred before the General Data Protection Regulation (GDPR) took effect, the Information Commissioner’s Office (ICO) said it was investigating whether the incident should be treated under the Regulation, which carries fines of up to €20 million or 4% of annual turnover (whichever is greater) – significantly higher than the previous regime, which saw any penalty capped at £500,000.
Alan Calder, founder and executive chairman of IT Governance, said the breach “serves as a warning for all companies”, adding that “you cannot predict when an attack will occur, but what you can predict is that if you are unable to demonstrate accountability for GDPR compliance, you will face reputational damage and substantial fines”.
It’s not too late to comply with the GDPR
ISO 27001, the international standard that describes best practice for an information security management system (ISMS), provides an excellent starting point for achieving the technical and operational measures required by the GDPR to help mitigate data breaches.
Implementing a documented, ISO 27001-aligned ISMS can help your organisation achieve GDPR compliance while providing unquestionable evidence that you have taken reasonable measures to address information security risks, which will be favourably looked upon by regulators.
Download this informative guide to GDPR compliance and its relation to ISO 27001 to discover:
- What a comprehensive data security regime looks like;
- What an ISMS is and how to go about implementing one;
- How achieving ISO 27001 certification can enable you to meet the GDPR’s technical and organisational requirements; and
- Useful guidance on how to effectively prepare for the GDPR.