Dixons Carphone criticised as data breach impacts up to 2.4m customers

Dixons Carphone group CEO Sebastian James was prompted to apologise to customers on Saturday, as it emerged the Carphone Warehouse division of the newly merged business suffered a significant data breach last week.

Up to 2.4 million customers have been impacted by the so-called "sophisticated cyber attack", with personal data such as names, addresses, dates of birth and bank details potentially compromised as a result.

An official statement from the electricals retailer said that the breach, which was discovered on 5 August, was centred on the IT systems of a division that operates the OneStopPhoneShop.com, e2save.com and Mobiles.co.uk websites. This part of the business also provides a number of services to iD Mobile, TalkTalk Mobile, Talk Mobile, and to certain customers of Carphone Warehouse.

Encrypted credit card data of up to 90,000 customers may also have been accessed, the statement continued, although Currys, PC World and the vast majority of Carphone Warehouse customer data is held on separate systems and has not been accessed during the incident.

The group said it has launched an investigation with a leading cyber security firm to determine exactly what data was affected, and additional security measures have been implemented to prevent further attacks.

CEO James commented: "We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems.

"We are, of course, informing anyone that may have been affected, and have put in place additional security measures."

Neira Jones, an independent advisor on the payments and information security landscape, and chairman of the global advisory board at the Centre for Strategic Cybercrime & Security Science, told Essential Retail that compared to recent data breach examples, Dixons Carphone acted relatively quickly to inform its customers of the data breach, but she had a number of criticisms of the retailer.

"We are still missing the full picture on the Carphone Warehouse data breach: we know so far that the company took three days to notify customers from the alleged discovery of the breach, but we don't know whether they were following process when notifying law enforcement authorities and the ICO," she commented.

"What really annoys me is that you have to dig through their website to find information on the breach, where it should really be obvious on the front page. After all, there is a large burden placed on customers to contact credit checking agencies, talk to their bank, or talk to the customer services departments of not only Carphone Warehouse but also their affected partners, all of course using premium rate numbers. No wonder customers are annoyed."

The announcement about the breach is included on the homepage of the Dixons Carphone corporate website, but not on the homepage of the customer-facing Carphone Warehouse portal.

Jones added that ID fraud is rife in the UK, and warned that the digital identities stolen last week could be reused "many months down the line". And although acknowledging Dixons Carphone acted relatively promptly to inform its customers of the breach, Jones criticised the message conveyed by the company.

"I get very irate when I see the boiler plates "a sophisticated cyber attack" and "we take the security of our customers very seriously", whilst remaining totally vague on the nature of the attack and the remedial activity," she explained.

"I can hear the sniggers already if it turns out that the hack originated from a phishing attack. Will UK retailers view this as a warning? I sincerely hope so."