Dixons Carphone has revealed that a data breach in June 2017 has affected almost 9 million more people than it first thought.
On 13 June 2018, following a review of its systems security, the Carphone Warehouse and Currys PC World owner announced that it had found unauthorised access in the past to some of its data.
After launching an investigation into the matter, which is now nearing completion, the retail giant has identified that approximately 10 million records containing personal data may have been accessed in 2017.
“While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and there is no evidence that any fraud has resulted,” explained Dixons Carphone. “We are continuing to keep the relevant authorities updated.”
As a precaution, the retailer is advising customers of the protective steps they can take to minimise the risk of fraud.
“Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right. That’s included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today,” said Dixons Carphone chief executive Alex Baldock.
“As a precaution, we’re now also contacting all our customers to apologise and advise on the steps they can take to protect themselves.
“Again, we’re disappointed in having fallen short here, and very sorry for any distress we’ve caused our customers. I want to assure them that we remain fully committed to making their personal data safe with us.”
With the breach affecting almost 20% of the UK population, Rachel Aldighieri, MD of the DMA (Direct Marketing Association) stresses that it is imperative that Dixons Carphone ensures it is forthcoming with information and advice to affected customers on what this means for them and how they can protect their personal information.
DMA worked closely with the ICO in the lead up to GDPR and is one of the leading industry voices on consumer data privacy.
“Dixons Carphone now has the challenge of re-building the trust of its customer base. To do this, it’s vital that the organisation focuses its efforts around two of the core principles of the GDPR – accountability and transparency. They need to show that they have done everything possible to ensure such a breach won’t happen again,” said Aldighieri.
“Dixons Carphone has been carrying out an investigation into the breach with various regulators since it was discovered in June, but the damage caused now appears to be far worse than originally anticipated. Any breach of data protection law that related to incidents prior to the 25th May would not be subject to the hefty fines available within the new GDPR. Instead, with this breach happening under the regime of the previous Data Protection Act, Dixons Carphone could face a fine of up to £500,000.”
Aldighieri continued: “However, fines are just one of the risks to organisations like Dixons Carphone. We believe the long-term effects on customer trust, share price and public perception could have more lasting damage.”