Dixons Carphone says a data breach in 2017 was worse than originally thought as it affected 10 million customers – nine million more than initially estimated.
The huge breach first came to light in June when Dixons Carphone revealed hackers may have accessed 1.2 million personal data records – a figure that has now been revised to 10 million. In an update this morning the mobile phone business said it had been investigating the breach since it was discovered and putting “further security measures in place to safeguard customer information, increased our investment in cybersecurity and added additional controls”.
The firm apologised again to customers in an announcement on Tuesday:
“Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017.”
“While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and there is no evidence that any fraud has resulted.”
“We are continuing to keep the relevant authorities updated.”
“As a precaution, we are choosing to communicate to all of our customers to apologise and advise them of protective steps to minimise the risk of fraud.”
“As we indicated previously, we have taken action to close off this access and have no evidence it is continuing.”
“We continue to make improvements and investments at pace to our security environment through enhanced controls, monitoring and testing.”
Dixons said it had been working with leading cyber security experts and had put in further security measures to safeguard customer information.
The National Crime Agency began investigating the breach last month when it was first revealed. It is working with the National Cyber Security Centre, the Financial Conduct Authority and the UK’s data protection regulator, the Information Commissioner’s Office.
Dixons Carphone Chief Executive Alex Baldock said:
“Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right.
“That’s included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today.
“Again, we’re disappointed in having fallen short here, and very sorry for any distress we’ve caused our customers. I want to assure them that we remain fully committed to making their personal data safe with us.”
Dixons Carphone’s latest admission of a data breach comes six weeks after the company said it believed there had been other attempts since last year to compromise 5.9 million cards in one of its processing systems for Currys PC World and Dixons Travel stores, which was protected by chip and PIN. Dixons Carphone has assured customers that pin codes, card verification values and authentication data that could be used to make purchases have not been accessed and there is no evidence any fraud has resulted.
Although Dixons Carphone does not believe the breach is ongoing, they advise customers to take protective steps to minimise the risk of fraud.