Dixons Carphone admits data breach affected 5.9m cards

The UK’s biggest electricals retailer Dixons Carphone admits data breach impacting the payment cards of millions of its customers.

Dixons Carphone announced today it has started an investigation into unauthorised data access which saw an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores.

As part of a review of its systems, the retailer determined there was unauthorised access to certain data held by the company. It prompted an internal investigation with the aid of cybersecurity experts, which has resulted in the company adding extra security measures to its systems.

In a statement this morning, Dixons Carphone said there is no evidence the problem is continuing, and there is no evidence to date of any fraudulent use of the data as result of these incidents.

The update from the retailer said that 5.8 million of the affected cards have chip and pin protection, while the data accessed from the cards contains neither pin codes, card verification values, nor any authentication data enabling cardholder identification or a purchase to be made.

However, it added approximately 105,000 non-EU issued payment cards which do not have chip and pin protection have been compromised. Dixons Carphone has since notified the relevant card companies via its payment provider in relation to these incidents.

Separately, the investigation has uncovered that 1.2 million records containing non-financial personal data, including name, address or email address, have been accessed without authority. At present, there is no evidence that this information has left the retailer’s systems or has resulted in any fraud at this stage.

Anyone whose non-financial personal data was accessed will be informed, with Dixons Carphone apologising to them and offering individual advice on protective steps they should take.

Alex Baldock, the new CEO of Dixons Carphone, who in May appeared to criticise the previous management team after issuing a profit warning, said: “We are extremely disappointed and sorry for any upset this may cause.

“The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.”

Baldock, who last month said “nobody is happy with our performance” after the company revealed profit for the full year would be around £300 million, which was well down on analyst estimates, added: “We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cybersecurity experts, added extra security measures to our systems and will be communicating directly with those affected.

“Cybercrime is a continual battle for business today and we are determined to tackle this fast-changing challenge.”