Dixons Carphone has this week confirmed the unauthorised access of its data. The company admitted to two breaches involving details of 5.9 million payment cards and 1.2 million personal data records, including addresses. The company said in a statement there is no evidence to date of any fraudulent use of the data as result of these incidents.

"Our investigation is ongoing and currently indicates that there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores. However, 5.8m of these cards have chip and pin protection. The data accessed in respect of these cards contains neither pin codes, card verification values nor any authentication data enabling cardholder identification or a purchase to be made. Approximately 105,000 non-EU issued payment cards which do not have chip and pin protection have been compromised.

"Separately, our investigation has also found that 1.2m records containing non-financial personal data, such as name, address or email address, have been accessed."

Chief executive of the company, Alex Baldock, said it was "extremely disappointed and sorry for any upset" the incident may cause. "The protection of our data has to be at the heart of our business, and we’ve fallen short here. Cyber crime is a continual battle for business today and we are determined to tackle this fast-changing challenge.”

Because the incident happened before the new GDPR rules came into effect, the company will escape the considerably larger fines threatened under the new rules. Despite this, all eyes will be on the reaction of the Information Commissioner just weeks after the new rules came into effect.

Data breach manager at Beazley, Raf Sanchez, commented: “This breach is the first significant incident under the new GDPR regime and it will be interesting to see how the UK’s privacy regulator, the Information Commissioner, reacts. The ICO has previously fined organisations that have demonstrated serious failings with respect to breaches in the past with Yahoo being fined £250,000 over a breach involving 500,000 UK customers and TalkTalk having been hit with a £400,000 fine after 150,000 customers' details were accessed.

"Less than a third of businesses have a formal policy on how they will address cyber security risks and many are unprepared for the complexities of the new mandatory breach reporting regime under GDPR. This breach and the speed with which management have moved to contain it and to communicate their efforts not just to regulators but also to the public shows just how important it is to be prepared. It is almost impossible to prevent breaches but if organisations want to survive these events they have to have a strategy to react and manage these incidents.”

Share Story: