“We’ve fallen short here,” says retail boss Alex Baldock

Dixons Carphone, a European electronics and telecommunications retailer, has launched an investigation into a data breach involving 5.9 million customer card details and 1.2 million customer data records.

Issuing a security alert this morning, the London-listed retailer said an unauthorized third party had accessed “certain data” held by the company.

“Our investigation is ongoing and currently indicates that there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores,” the company said.

London-listed Dixons Carphone said 5.8 million of these cards were chip and PIN protected, and that the data accessed did not include PIN codes, card verification values (CVV), or “any other authentication data enabling cardholder identification”.

The company did not explicitly state that customers’ 16-digit card numbers or expiry dates were lost in the breach, although it did confirm that the 105,000 non-EU issued payment cards which did not have chip and PIN protection were “compromised”.

Dixons Carphone did not immediately respond to The Daily Swig’s request for additional comment and clarification.

“As a precaution we immediately notified the relevant card companies via our payment provider about all these cards so that they could take the appropriate measures to protect customers,” the company stated. “We have no evidence of any fraud on these cards as a result of this incident.”

The investigation also revealed that 1.2 million customer records had been accessed. This includes non-financial personal data such as name, address, and email address.

High street giant

Dixons Carphone’s primary brands include Currys PC World, Carphone Warehouse, and Dixons Travel in the UK and Ireland, along with Elkjøp, Elgiganten, and Gigantti in the Nordic countries, and Kotsovolos in Greece.

Group-wide revenues totaled £4.9 billion in the first half of fiscal 2018.

The company said it has engaged “leading cybersecurity experts” to assist with its investigation and added extra security measures on its systems.

Commenting on the breach, Dixons Carphone chief executive, Alex Baldock, said: “We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here.

“We’ve taken action to close off this unauthorized access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.”

The company’s share price fell around 4% in early morning trading.

While Dixons Carphone has not provided a timeline of events, the BBC is reporting that the hacking attempt began in July last year.

“Although it is admirable that a stalwart of the high street has admitted to a data breach, the fact is that admitting to these so far after the fact needs to stop,” said Etienne Greeff, CTO of UK-based information security firm, SecureData.

“A breach last year should have been admitted to last year, and customers should have been alerted to it last year – it’s bordering on gross negligence.”

Baldock said cybercrime is a “continual battle” for businesses operating today.

“We are determined to put this right and are taking steps to do so,” he said. “We promptly launched an investigation, engaged leading cybersecurity experts, added extra security measures to our systems and will be communicating directly with those affected.”