5.9 Million Card Details Accessed in Dixons Carphone Hack
14.6.18 securityweek Incindent
Dixons Carphone, a household name in the UK, announced (PDF) today that it is investigating "unauthorised access to certain data held by the company." It describes this access as "an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores," and "1.2m records containing non-financial personal data, such as name, address or email address..."
This may turn out to be the biggest ever breach in the UK.
Right now, nothing has been disclosed on how the breach was effected, nor who might be the culprit. There are reports, however, that the incursion started almost a year ago in July 2017. With no technical details available, interest is focusing on why it took so long to discover the breach; how the company is handling the disclosure and notification; and whether the data protection regulator will consider the breach under the UK Data Protection Act 1998, or the EU's General Data Protection Regulation (GDPR) that came into effect on May 25.
The ICO's own statement gives nothing away. A spokesperson said, "It is early in the investigation. We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 18 Data Protection Acts." For the latter, read 'GDPR' until the UK's Brexit takes effect.
The ambiguity arises because the breach occurred – or at least commenced – in pre-GDPR times. What we don't know is when Dixons Carphone discovered the breach. Since May 25 it will (probably) have been subject to the very strict GDPR breach notification rules.
If the whole incident is considered under GDPR rules, the ICO could potentially fine Dixons Carphone up to 4% of its annual global revenue. Last year the group reported total sales of £10.5 billion ($14 billion). A fine under GDPR could be many hundreds of millions of pounds. Under the Data Protection Act 1998, the maximum fine would be just £500,000 ($670,000).
Technical concerns focus on why it took so long for Dixons Carphone to discover the breach. Robert Wassall, data protection lawyer and head of legal services at ThinkMarble, comments, "The fact that this breach has only just been identified through a routine security review can be viewed from two sides. Yes, it's great that this breach was identified as it proves that the review process and scanning for vulnerabilities works. On the other hand, the breach began in July 2017, why wasn't it identified sooner? How often is security scanning done, given that it has taken almost a year to be found?"
Ross Brewer, VP and MD EMEA at LogRhythm, is less accommodating. "The scale and time-frame of this data breach is staggering," he says. "Initial attempts to access data began in July last year, yet this was only discovered over the past week, indicating that the company lacks vital threat detection capabilities."
The breach notification concerns center around the Dixons Carphone statement. Some commenters praise the apparent speed and fulness of its notification to victims. Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge, says, "With over a billion of compromised records last year, I think this particular incident is of small importance. Many similar breaches occur every day and alas remain unnoticed. Unless we have evidence of malicious exploitation of the allegedly stolen data, no major detriment is imputable upon the victims. In light of these facts, Dixons Carphone's decision to disclose - is rather laudable, albeit one may question the timeline of the disclosure. Many other companies are much less courageous to tell the truth, as even in light of GDPR enforcement, the new law cannot monitor proper disclosure of inconspicuous data breaches."
Others, however, fear that the statement attempts to minimize actual harm over and above warning the victims about potential future harm. Dixons Carphone chief executive, Alex Baldock, said, "we have currently no evidence of fraud as a result of these incidents." The statement also implies that victims needn't worry about their card details, since by far the majority are chip and PIN cards, and no CVVs were included. It does not mention the potential for phishing and other social engineering scams targeted against actual or just potential Dixons Carphone breach victims.
Trevor Resche, threat intelligence office at Trusted Knight, is forthright. "Today's breach of Dixons data will have far reaching consequences for some time. While Dixons has said that there is no evidence of fraud taking place, now the data is in the criminal sphere, it's unlikely to be long before it starts being shopped around amongst criminals, with ensuing phishing and bruteforce attacks launched."
For the moment, we don't know enough about the breach. Dixons Carphone is now working with law enforcement (NCSC), with the financial regulator (FCA), the data protection regulator (ICO), and "leading cyber security experts." While victims will need to monitor their bank accounts closely and be suspicious of all incoming Dixons Carphone-related emails; businesses in general and the cybersecurity industry in particular will be monitoring the reaction of the data protection regulator. If the ICO finds that Dixons Carphone was negligent in its protection of customer data, it could levy a significant fine.