As one of the UK’s largest data breaches, the number of individuals affected is situated at just over 7 million. The data breach began in July of 2017 and Dixons Carphone realized the breach only a week ago. The retail company has assured the public that the delay in disclosing the breach was not an attempt to conceal the breach; rather they were unaware that the breach ever happened.
The National Cyber Security Centre has stated:
“The National Cyber Security Centre said it was working alongside the retailer and other agencies after the attack, which also involved unauthorised access to 1.2m personal records of Dixons Carphone customers. Anyone concerned about fraud or lost data should contact Action Fraud and we recommend that people are vigilant against any suspicious activity on their bank accounts.”
Double the Breach Trouble
Dixons Carphone’s pre-investigation revealed that the card processing systems were compromised at Dixons Travel and Currys PC World. Additionally, the pre-investigation found that 1.2 million records containing PII was compromised. These two separate data breaches hit the retailer while they’re already down; they were recently fined for a previous attack.
The sheer amount of individuals affected by this breach is alarming; 5.9 million individual’s payment card data and 1.2 million PII was involved in the data breach. Of the payment card data breached, 5.8 million cards were protected by chip and pin security. That leaves around 105,000 individuals with their payment information stolen and accessible. At this time, Dixon Carphone is stating that none of the payment information stolen has been misused.
What about GDPR?
With the scope of the breaches examined and understood, many are wondering what penalties the retail company will face. Dixons Carphone may narrowly miss being fined and penalized by GDPR regulations, but many security professionals are speculating whether or not GDPR will make an appearance.
According to Jonathan Armstrong, compliance & technology Lawyer, partner at Cordery, whilst it seems likely that GDPR will come into play, “we needn’t assume at this stage it is a breach reported under GDPR,” he told Infosecurity.
If GDPR does choose to penalize the retailer, they will likely assess the volume of data accessed as well as the length of time it took to discover the attack.
The manner in which the breach occurred will also be considered. For example. was this a known vulnerability that was neglected? Specifics that are discovered in the coming investigations will greatly influence any penalties. For now, we will have to wait and see what penalties, including GDPR, are bestowed on Dixons Carphone. Don’t miss a blog post. Subscribe below.