Dixons Carphone Breach: A Reminder of Post-GDPR Company Responsibility

Dixons Carphone, a multinational electronic and telecommunications retailer and services company headquartered in London, acknowledged a massive data breach involving 5.9 million payment cards and 1.2 million personal data records.

The statement by Dixons Carphone, which operates under several brands in the UK, Ireland and mainland Europe, admitted only 105,000 cards without chip-and-pin protection leaked out.

In the second of this two-part report, cybersecurity experts weighed in on the incident and its potential effects vis-a-vis privacy concerns and the European Union’s General Data Protection Regulation.

Eyal Benishti, CEO of IRONSCALES, said having information disclosed to criminals puts the organization’s customers in the firing line. “Now that this breach has become public knowledge, it is likely that we will see a major uptick in criminals looking to capitalize on this, even if they were not the original hackers.”

Benishti mentioned some things to look out for will be scam messages purporting to be from Dixons Carphone offering things like free credit monitoring services; or trying to trick users into supplying more personal information or downloading malicious software.

“A sensible posture that organizations should adopt is to assume their systems will get breached and then put in place processes to minimize the risk,” Luke Brown, VP EMEA at WinMagic suggested. Perhaps the simplest thing to do is to ensure to use encryption to protect all data. “That way if the worst does happen, the data will be unreadable to anyone who’s not authorized to read it.”

It does not matter if it is a careless mistake or a malicious attempt to leak data, Rich Campagna, CMO at Bitglass held. “Organizations must put in place measures to identify sensitive customer data and build controls around when that data can be accessed and by whom.” Campagna mentioned because retailers are major targets they will see lapses in security exploited by malicious individuals.

“With each subsequent breach, fraudsters get access to additional information they can use to stitch together complete user profiles. Regardless of the type of breach, the information compromised and the scale, the impact to the end customer is long lasting,” Vanita Pandey VP of marketing/product strategy at Simility, said. She explained deception patterns rapidly evolve and fraudsters use sophisticated tools to harness rich consumer data.

Lee Munson, security researcher with Comparitech.com pointed out, “The breach at Dixons Carphone highlights, yet again, how common attempts at exfiltrating personal data and payment card information have become.” Munson added what is worrying here is the delay between the breach occurring last year and the disclosure, something that seems symptomatic of many high-profile breaches in general.

The advent of GDPR provides additional incentive to report incidents like these quickly. If a company experiences a data breach, it must report it within 72 hours of the company becoming aware of the incident or face steep fines.

Madison Iler, director, compliance and advisory services, at LMG Security observed now that GDPR has reached its enforceable stage, all organizations collecting and storing personal information need to understand how the rules affects them. “The regulation covers a broad range of topics, including consent requirements, rights of data subjects, and provisions for data transfer and protections. In addition, companies need to be familiar with breach notification requirements and be prepared to act fast to comply.”

Rebecca Herold, president of SIMBUS and CEO of The Privacy Professor Herold revealed the EU received over 2,000 complaints for GDPR violations in the first two days it went into effect.

Herold provided some valuable lessons to credit unions as it relates to Dixons Carphone and GDPR:

• The breach happened a year ago, but they did not report it until now. Why? Possibly because GDPR now requires the reporting of breaches.
• Strip cards are more vulnerable in some ways than the chip cards. But that does not eliminate the potential for fraud.
• For EU citizens and residents, credit unions could consider advising them of their rights under GDPR following a breach.
• Generally, credit unions should take actions now for this breach in similar ways they do for other types of breaches. The biggest difference is their EU clients may ask for more about information their account activities.