In what could be the largest data breach since the GDPR came into effect, Dixons Carphone has revealed what it’s calling an “attempt to compromise 5.9 million [credit or debit] cards”, and a leak of “1.2m records containing non-financial personal data, such as name, address or email address”.
Dixons Carphone – a large European electrical and telecommunications company that owns familiar brands like Dixons, Currys, PC World and Carphone Warehouse – has only revealed vague details about the breach so far, but of the 5.9 million cards compromised:
- 5.8 million are protected by Chip and PIN.
- 105,000 non-EU issued cards are not protected by Chip and PIN.
The ICO (Information Commissioner’s Office) have issued a statement saying:
An incident involving Dixons Carphone has been reported to us and we are liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers.
Anyone concerned about lost data and how it may be used should follow the advice of Action Fraud.
If you’re a Carphone Warehouse customer, there is good news and bad news.
Let’s start with the good news.
The risk to the owners of the 5.8 million affected payment cards protected by chip and PIN is lowered because crooks will likely need additional data in order to use them to make transactions. According to Dixons Carphone:
The data accessed in respect of these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made.
That being said, there has also been a loss of personal data which could include contact details for the individuals affected by the card theft.
Now the bad news.
The data that has been stolen makes it much easier for crooks to acquire the rest of the information they need to use your Chip and PIN credit card.
After a breach of this sort, the crooks have what they need to create personalised lures, such as social engineering or phishing attacks that extract the missing information in return for free phone upgrades, payment checks or other services.
What to do?
So how can you make sure you’re not caught out by the breach?
- Keep an eye on your bank statements to see if any unusual transactions occur.
- Be vigilant when receiving emails and phone calls, especially if they’re asking for authentication codes related to your bank account or payments.
- Cancel your card and request a new one from your bank or building society if you’re at all concerned about your card being compromised, or if you own one of the 105,000 cards without Chip and PIN.
Don’t forget that, thanks to the GDPR, you have the right to request European companies to disclose any and all personal data that they hold about you.
So, if Dixons Carphone informs you that you were affected by this data breach, you can ask them to tell you about all the data they currently have about you, and to confirm exactly which data fields were included in the leak.
By the way, if someone claiming to be from Dixons Carphone (or any of its brands) emails or phones you in connection with this breach, don’t ask them for further information by replying directly to the email or by continuing the phone call – you could be talking to a scammer.
If you want to communicate with Dixons, use contact information that you’ve figured out yourself, for example from a recent invoice or from Dixons’ official PR statement about the breach.Follow @NakedSecurity