European consumer electronics retailer Dixons Carphone’s apologetic admission yesterday that a 2017 data breach was in fact considerably worse than it first reported suggests disclosures of major breaches could get a bit more messy — at least under the early reign of the region’s tough new data protection framework, GDPR — as organizations scramble to comply with requirements to communicate serious breaches “without undue delay”. Although, to be clear, it’s not the regulation that’s the problem. Dixons’ handling of this particular security incident has come in for sharp criticism — and is most certainly not a textbook example of how to proceed. Dixons Carphone disclosed a breach of 5.9M payment cards and 1.2M customer records in mid June , saying it had discovered the unauthorized access to its systems during a security review. However this week the company revised upwards the number of customer records affected — to around 10M. The breach itself occurred sometime last year. “They are clearly concerned about regulatory enforcement but they seem completely unprepared to handle customer reactions. With privacy and security awareness increasing exponentially, it will not be long before we see customer churn, reputational damage, and further decrease in the value of the business as a result of such a poor response to a very large breach,” says Enza Iannopollo, a security expert at the analyst Forrester, responding to Dixon’s revised report of the security incident in a statement yesterday. The ballooning size of the Dixons breach is interesting in light of Europe’s strict new data protection regulation, which put the onus on data controllers to disclose breaches rapidly. Rather than — as has all-too-often been the case — sitting like broody hens waiting for the most opportune corporate moment to hatch a confession, yet leaving their users in the dark in the meanwhile, unwittingly shouldering all the risk. In the case of this Dixons 2017 breach (NB: it’s not the only breach the Group has suffered ), it’s not yet clear whether the EU’s new regulation will apply (given the incident was publicly disclosed after GDPR had come into force); or whether it will fall under the UK’s prior data protection regime — given the hack itself occurred prior to May 25, when GDPR came into force. A spokesperson for the UK’s Information Commissioner’s Office (ICO) told us: “Our investigation has not yet concluded which data protection law applies in this case — DPA98 or the GDPR.” While the UK’s Data Protection Act 1998 encouraged data controllers to disclose serious data breaches, the EU’s General Data Protection Regulation (transposed into national law in the UK via the DPA 2018 ) goes much further, putting in place a universal obligation to report serious breaches of personal data within 72 hours of becoming aware of an incident. And of course this means not just personal data that’s been actually confirmed as lost or stolen but also when a security incident entails the risk of unauthorized access to customer data. The exception to ‘undue delay within 72 hours’ is where a personal data breach is “unlikely to result in a risk to the rights and freedoms of natural persons”. Which, while it’s clear that not every breach will require disclosure (say for example if personal data was robustly encrypted a company may deem it unnecessary to disclose a breach), is a caveat that still sets a pretty low disclosure bar. At least where a breach entails a risk of personal information being extracted from compromised data. (Which is yet another reason why strong encryption is good for everyone.) Certainly, any companies discovering a breach that puts their customers at risk, and which took place on or after May 25, 2018, but which then decide to ‘do an Uber’ — i.e. sit on it for the best part of a year before ‘fessing up — will put themselves squarely in EU regulators’ crosshairs for an equally major penalty.
Read More »Dixons Carphone admits 2017 hack was bigger than first thought
Dixons Carphone -- owner of major high street brands Currys PC World and Carphone Warehouse -- has confirmed that its 2017 cyber attack was much bigger than first anticipated. In an investor announcement, the company said that the breach affected as...
Read More »Dixons Carphone discloses data breach affecting 5.9M payment cards, 105k of which were compromised
European electronics and telecoms retailer Dixons Carphone has revealed a hack of its systems in which the intruder/s attempted to compromise 5.9 million payment cards. In a statement put out today it says a review of its systems and data unearthed the data breach. It also confirms it has informed the UK’s data watchdog the ICO, financial conduct regulator the FCA, and the police. According to the company, the vast majority of the cards (5.8M) were protected by chip-and-PIN technology — and it says the data accessed in respect of these cards contains “neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made”. However around 105,000 of the accessed cards were non-EU issued, and lacked chip-and-PIN, and it says those cards have been compromised. “As a precaution we immediately notified the relevant card companies via our payment provider about all these cards so that they could take the appropriate measures to protect customers. We have no evidence of any fraud on these cards as a result of this incident,” it writes. In addition to payment cards, the intruders also accessed 1.2M records containing non-financial personal data — such as name, address or email address. “We have no evidence that this information has left our systems or has resulted in any fraud at this stage. We are contacting those whose non-financial personal data was accessed to inform them, to apologise, and to give them advice on any protective steps they should take,” the company adds. In a statement about the breach, Dixons Carphone chief executive, Alex Baldock, said: “We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously. “We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected
Read More »Coming soon to Tesco: Currys PC World outlets
Tesco is already a solid if unspectacular seller of consumer tech, but a new partnership with Dixons Carphone looks set to take things up a notch. In an announcement today, the UK's biggest grocer confirmed it will open two Currys PC World outlets in...
Read More »Dixons Carphone to close 11 percent of UK stores
The British high street is a difficult place to compete. Dixons Carphone, the company behind Currys, PC World and Carphone Warehouse, knows that all too well after announcing plans to shutter 134 stores. The downsizing manoeuvre will merge any remain...
Read More »5 best gaming accessories to make a very merry, virtual Christmas – Siliconrepublic.com
Siliconrepublic.com 5 best gaming accessories to make a very merry, virtual Christmas Siliconrepublic.com And while some are happy to use the standard keyboard they got with the desktop PC , some of the more hardcore gamers like a keyboard that only somewhat resembles what the general public would know as a keyboard . So step forward the Blackwidow ... and more »
Read More »Sprint turns to a British retailer to reverse its US fortunes
It's been almost a year since UK retailers Dixons and Carphone Warehouse tied the knot. Life as a combined entity, known as Dixons Carphone, is off to a good start: profits are up and the company made efforts to expand its presence, including the lau...
Read More »