Dixons Carphone, the U.K. mobile phone and electronics retailer, disclosed on Tuesday (July 31) an update on a data breach in which it found unauthorized access in the past to some of its data.
In a press release, the company said that since discovering the breach on June 13, it has been putting more security measures in place to safeguard customer information, increased its investment in cybersecurity and added more controls. The company said it is also working with cybersecurity experts.
As a result of its investigation, Dixons found that about 10 million records containing personal data may have been accessed in 2017. The company noted there is evidence that data was taken off its servers, but that those records didn’t contain payment card or bank account details. What’s more, it said there is no evidence there was any fraud as a result of the data breach. Dixons said it is taking actions to close off the access and have no evidence that it is continuing.
“Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right. That’s included closing off the unauthorized access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today,” said Alex Baldock, chief executive of Dixons Carphone. “As a precaution, we’re now also contacting all our customers to apologize and advise on the steps they can take to protect themselves.
“Again, we’re disappointed in having fallen short here, and very sorry for any distress we’ve caused our customers,” he continued. “I want to assure them that we remain fully committed to making their personal data safe with us.”
In June, Dixons Carphone said the ongoing investigation showed that hackers attempted to access 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores. Fortunately, 5.8 million of the cards had chip and PIN protection, and the data accessed didn’t have PIN codes, card verification values (CVVs) or any authentication data that would enable cardholder identification or a purchase to be made. However, 105,000 non-EU issued payment cards that don’t have chip and PIN protection had been compromised. The relevant card companies have been notified so they could protect customers and, so far, there hasn’t been any evidence of fraud on those cards.
In addition, the investigation found that 1.2 million records containing non-financial personal data, such as names, addresses and email addresses, had also been accessed. The company said there is no evidence that this information has left its systems or resulted in any fraud.