Dixons Carphone doesn't have a good record with data. The owner of mobile retailer Carphone Warehouse and Currys PC World has been hit by two big customer data breaches in recent years and now it's revealed a 2017 hack was far worse than we originally thought.
The firm believes ten million customer records containing personal information were accessed in 2017, having originally said it was just 1.2 million records. What's more: it's found "evidence" that an unknown portion of this data may have been swiped from its systems. The data taken doesn't include payment card or bank account details.
Dixons Carphone admitted the new figure in a statement issued to customers and investors. It first found the data breach had happened in June 2018 but clearly hadn't figured out exactly what had happened.
When first announcing the breach the company said 1.2 million records – including, emails, names and home addresses – had been accessed. Dixons Carphone said in June that it didn't have "evidence that this information has left our systems". In addition, it said around 5.9 million cards had been impacted. On both occasions when confessing to the data breach, the company has said it believes no fraud has taken place as a result of the information being lost.
So what caused the increase in customer numbers impacted by the hack? In short: time. Europe's new General Data Protection Regulation (GDPR) requires companies to tell regulators about data breaches within 72 hours after they discover them. In this case Dixons Carphone will have had to inform the UK's Information Commissioner's Office (ICO) pretty soon after it discovered its problem.
Read more: The British Airways hack is impressively bad
GDPR also says businesses suffering from data breaches must tell their customers if there's a "high risk of adversely affecting individuals’ rights and freedoms". In June 2018, when Dixons Carphone first publicly revealed the data breach a spokesperson said it had discovered the hack had happened during the week before.
Since then, the company has had more time to forensically analyse its IT systems to find out the full extent of the hack. So far it hasn't given any technical details of how customer information was accessed or taken. However, it's likely these will be revealed as investigations into what happened progress. Previously, Carphone Warehouse, one of the businesses owned by Dixons Carphone, was hit by a relatively straight-forward cyberattack and saw millions of records accessed.
The ICO issued Carphone Warehouse with a £400,000 fine in January 2018 following a cyberattack in 2015. The attack three years ago started in Vietnam and used fairly simple software to find a version of WordPress that hadn't been updated by Dixons Carphone. The ICO said it was "considerably out-of-date".
"The attacker accessed numerous databases," the ICO said in its report into the hack. The hacker ended up accessing the data of more than three million customers and 1,000 Carphone Warehouse employees. This included names, addresses, phone numbers, dates of birth, marital status and old credit card details.
The ICO, which is investigating the latest data breach, has the power to fine the company significantly more under GDPR than the £400,000 it previously issued. At the time it issued the fine for Carphone Warehouse, the ICO came to a damning conclusion: "[The Commissioner] remains of the view that deficiencies in Carphone Warehouse's technical and organisation measures created real risks of such data breaches, and that they played an essential casual role in this particular incident."
This article was originally published by WIRED UK
