Dixons Carphone: 10 Million Records Exposed in 2017 BreachRetailer Revises Breach Impact Upward; 5.9 Million Payment Cards Also Exposed
Struggling European electronics giant Dixons Carphone says its investigation into a July 2017 data breach has found that the incident was worse than it initially believed, affecting 10 million customers - 10 times the number it previously reported (see Dixons Carphone Breach: 5.9 Million Payment Cards Exposed).
"Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017," the publicly traded company says in a Tuesday statement. "While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and there is no evidence that any fraud has resulted."
London-based Dixons Carphone is a multinational electrical and telecommunications retailer and services company that owns and operates a number of brands throughout Europe, including Carphone Warehouse, Currys, Dixons Travel and PC World.
The company issued its first alert on the breach on June 13, saying that "as part of a review of our systems and data, we have determined that there has been unauthorized access to certain data held by the company." At the time, it said that 5.9 million payment cards may have been accessed, of which 5.8 million had chip-and-PIN protection. That figure has not changed.
But it previously said that 1.2 million records with non-financial information - including customers' names, addresses and email addresses - had been accessed. Now, however, it says 10 million such records were exposed.
Alex Baldock, CEO of Dixons Carphone, issued an apology to customers and says his firm is communicating advice on how they can best protect themselves.
"Since our data security review uncovered last year's breach, we've been working around the clock to put it right," Baldock says. "That's included closing off the unauthorized access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we're updating on today. As a precaution, we're now also contacting all our customers to apologize and advise on the steps they can take to protect themselves."
National Crime Agency Investigates
The U.K.'s National Crime Agency is leading the law enforcement response to the breach, and its National Cyber Crime Unit officers are working with Dixon Carphone investigators to secure evidence.
"Due to the complexity of these inquiries, the investigation will take some time," says the U.K.'s National Cyber Security Center, the country's national incident response team that's part of the GCHQ signals intelligence agency.
Last month, the Information Commissioner's Office, which enforces the country's data privacy laws - including the EU's General Data Protection Regulation - told Information Security Media Group that it was too early to say if the breach would fall under GDPR, which has been in effect since May 25.
As of Tuesday, the ICO says its investigation - together with NCA, NCSC and the Financial Conduct Authority - remains ongoing. "Dixons Carphone reported a data breach to the ICO in June. The company has now confirmed that the incident affected the personal data of 10 million records, which is significantly higher than initially stated," the ICO said on Tuesday.
"Our investigation into the incident is ongoing and we will take time to assess this new information," the ICO says. "In the meantime, we would expect the company to alert all those affected in the U.K. as soon as possible and to take all steps necessary to reduce any potential harm to consumers."
Security experts say it's not unusual to see businesses revising upward - or occasionally, downward - their estimate of the number of records that may have been exposed in a breach, once investigators have had time to mitigate the intrusion and assess the damage (see Equifax: US Breach Victim Tally Stands at 146.6 Million).