Dixons Carphone data breach, 5.9 million payment cards exposed
13.6.18 securityaffairs Incindent
Retailer Dixons Carphone has disclosed a security breach that involved 5.9 million payment cards and 1.2 million personal data records.
Dixons Carphone discovered an “unauthorised access” to certain data held by the company, it promptly launched an investigation and hired an external firm to shed the light on the case.
The company immediately reported the hack to law enforcement, regulators at the Information Commissioner’s Office and the Financial Conduct Authority.
“As part of a review of our systems and data, we have determined that there has been unauthorised access to certain data held by the company.” reads the data breach notification published by the company.
“Our investigation is ongoing and currently indicates that there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores. However, 5.8m of these cards have chip and pin protection. The data accessed in respect of these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made. “
The retailer explained that it has no evidence to date of any abuse of the data as result of the hack. The bad news for the customers is that the compromised information included payment card data.
Dixons Travel confirmed that hackers could have accessed data of 5.9 million cards stored in one of the processing systems of Currys PC World and Dixons Travel stores. The company highlighted that 5.8 million of these cards have chip and PIN protection, in these case crooks may have accessed card data contains neither PIN codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made.
Roughly 105,000 non-EU issued payment cards that do not use chip and PIN protection have been compromised.
The firm notified the relevant card companies via its payment provider about all compromised cards.
“Separately, our investigation has also found that 1.2m records containing non-financial personal data, such as name, address or email address, have been accessed. We have no evidence that this information has left our systems or has resulted in any fraud at this stage. We are contacting those whose non-financial personal data was accessed to inform them, to apologise, and to give them advice on any protective steps they should take.” added the company.
This isn’t the first time that the company suffers a security breach, in 2015 another incident exposed the credit card details of 90,000 Dixons Carphone customers.
Affected customers are anyway potentially exposed to phishing attacks and have to be vigilant.