Dixons Carphone Breach Beats the GDPR Clock, Concerns Remain

Dixons Carphone, a multinational electronic and telecommunications retailer and services company headquartered in London acknowledged a massive data breach involving 5.9 million payment cards and 1.2 million personal data records.

While connecting a breach across the Atlantic Ocean to U.S. seems implausible, the incident provides a stark reminder of the ongoing commitment all organizations must have to protect personal data and stay compliant with evolving regulations. In the first of this two-part report, cybersecurity experts weighed in on the incident and its potential effects considering privacy concerns and the European Union’s General Data Protection Regulation.

Dixon’s Carphone, which operates under several brands in the UK, Ireland and mainland Europe, said there was no indication of any fraudulent use of breached cards. The statement admitted only 105,000 cards without chip-and-pin protection leaked out. It has since been determined that the breach affected U.S. and Canadian consumers, although the exact number remains unknown.

Many firms that do business with EU customers and citizens/residents must now need to deal with the GDPR, which took effect May 25, 2018 across all 28 EU nations. The UK plans to adopt the same standards as well despite Brexit. Fortunately for Dixons, or maybe to beat the GDPR deadline, the incident apparently occurred prior to the new GDPR rules, which promises steep fines for companies that do not report a data breach with 72 hours, officially taking effect.

Lee Munson, security researcher with Comparitech.com, warned of the affect this could have on the chain’s customers, millions of whom have had their personal or payment card information leaked. “Dixons Carphone says there is no evidence of fraudulent payments being made with the stolen cards but affected customers would be well advised to keep an eye on their bank and credit card statements in case of rogue payments being taken.”

The United Kingdom Information Commissioner’s Office will now investigate this latest incident. Stephen Gailey, Solutions Architect at Exabeam, said. “This may end up being the first test of the ICO, which recently fined Carphone for a 2015 data breach (400,000 British Pounds) saying its protection was inadequate.” He asked, “Will the ICO now use its extended powers and ability to fine or will it come under pressure to lay-off embattled High Street chains?”

Breaches like this one are becoming all too common, and while the scale of the Dixons incident is huge, they are not even a surprise any more, Luke Brown, VP EMEA at WinMagic, asserted. “What is surprising is that organizations are still playing fast and loose with their customers’ data. Taking action to close off the unauthorized access, as Dixons has done in this case, is simply closing the barn door after the horse has bolted. The data is still out there.”

Jan van Vliet, VP/GM EMEA at Digital Guardian also voiced concerns, “As its CEO has acknowledged, when a company gets breached and loses data, the response and actions of the board and management team become hugely important.” He acknowledged in this instance, the company attempted to bolster its cyberprotection by bringing in experts and implementing extra security measures to its systems. “I cannot help but think this is simply too little, too late. Dixons must thoroughly investigate what led to the breach and data loss, then build a remediation strategy that can help to avoid those same pitfalls in the future.”

The incident should also serve as a reminder. “GDPR applies to every organization and business, from the one-person to the largest, that has the personal data (customers, employees, any type of relationship) of any EU citizen and/or resident Rebecca Herold, president of SIMBUS and CEO of The Privacy Professor pointed out. She noted credit unions possess a huge amount of data about their clients, employees, and others (data subjects). If those data subjects are EU citizens or EU residents, then credit unions must comply with GDPR.

Credit unions need to prepare. “Have any CU clients made purchases from Dixons with credit cards issued by the CUs? CUs need to check, regardless of whether the clients are EU citizens or residents,” Herold added, it is always important to know when the involvement of CU cards in a breach, anywhere in the world.