Dixons Admits 10 Million Customers Hit in Data Breach
A massive data breach has lead to a huge fine for Dixons
Dixons Carphone -- the company that owns Dixons, PC World, and Carphone Warehouse -- has admitted that a previously acknowledged 2017 data breach is much larger than first thought, with around 10 million customers’ personal data being theoretically available to hackers after malware was installed on its network.
The company says that financial details were not leaked, but names, addresses, and email addresses were definitely accessed. It previously thought that the hack was only related to 1.2 million accounts.
As part of the same hack, 5.9 customers’ debit card details were stolen. GCHQ got involved in the initial investigation, but it appears that no fraud was committed. That’s more by luck than by design, though. More than 100,000 of the stolen cards were not secured with a CVV or PIN, as is still fairly typical in countries like the USA where signature strip is still standard.
Previous Hacks via WordPress
It doesn’t end there. You may remember that the company suffered a breach in 2015, which involved the loss of millions more people’s details. In that breach, the hackers targeted some of its online stores, like OneStopPhoneShop and e2save, obtaining 3 million customer records and additional employee data.
After gaining access to the server, the hackers were able to plunder the various databases on it. This led to a huge fine of £400,000, which the company has only just paid.
The Information Commissioner found “distinct and significant inadequacies” in the way the company was storing personal data. In that incident, an insecure WordPress website was highlighted as an entry point for the hackers, with the ICO saying that the installation had not been updated for some time.
Bear in mind that WordPress automatic updates have been a feature of the software since version 3.7, which was released in October 2013. So there was absolutely no excuse for a company of this size not to have looked after its website properly.
What is Going on at Dixons Carphone?
The latest 2018 breach raises serious questions for Dixons Carphone, which seems to have some issues around customer data security.
Not only did it massively underestimate the amount of records originally accessed in the latest hack, but it’s possible that it would have dragged its heels over revealing the truth if GDPR hadn’t come in. Fortunately for consumers, one of the key pillars of GDPR is the quick publication of information.
Dixons Carphone says it will write to the customers that have been affected in the latest hack to say sorry. Nobody will be offered any compensation because -- luckily -- no cards were used.
But it seems like that’s just a happy accident, and Dixons Carphone needs to urgently review the way it stores and secures our personal data.