Dixons Carphone has now confirmed the sheer scale of a data breach it suffered, revealing that 10 million records containing personal data were illegally accessed by hackers.
This is an almost tenfold increase on the company’s original estimations in June when it believed that a little over a million records had been accessed.
In addition to the 10 million records, Dixons Carphone believe that around 5.8 million customer bank details were also hacked.
Chief executive Alex Baldock said on Tuesday: “Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right.”
“That’s included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today.”
What to do if you’ve been affected?
Dixons Carphone is contacting everyone who has been affected by the breach so you should be getting an email or letter from them shortly.
While it’s always good practice to regularly check your bank statements for unusual activity, the company has said that it’s reached out to all of the banks and informed them of each of the accounts that were compromised.
Your bank should then get in touch about arranging either a new card, or helping you rectify any fraudulent activity if there’s been any.
The vast majority of the 5.8 million bank details that were stolen however were protected by chip and pin, which means that without physically having the card itself they should be safe.
Speaking to HuffPost UK, Andy Norton, director of threat intelligence at Lastline had this advice: “Firstly it’s important to understand what data has been lost, because different pieces of data will have different ramifications in specific aspects of a user’s identity. Secondly, change credentials, update passwords, update all sites that use the same password. Third, contact your bank or credit card provider to let them know your card data has been in a breach. Finally, consider getting a credit monitoring service, or identity theft protection service, and asking the effected company if providing those services is covered as part of their cyber insurance policy.”
What’s next for the company?
Carphone Warehouse has already been fined a massive £400,000 in January for a separate data breach so for its parent company to experience an even bigger one, there surely will be pressure by privacy advocates to see an appropriate response from the Information Commissioners Office (ICO).
Gareth Oldale, partner at law firm Sharpe Pritchard and an expert in data protection law, believes this could even be the first data breach to fall under the new GDPR rules.
“Questions will also be asked as to whether this will be the first fine to be issued under the GDPR, which provides scope for the ICO to issue fines of up to £17million or 4% of global annual turnover, whichever is the greater,” explains Oldale.
“Whilst again more information is needed before determining this conclusively, if the breach occurred last Summer, before the GDPR came into force, then it would seem likely that the maximum fine that could be issued by the ICO would be £500,000, i.e. the maximum limit for fines under the old data protection regime.”
It’s important to note that Dixons Carphone’s own investigation is still technically underway so it’s unclear what sort of reaction there will be from the ICO, if any.