Beazley has considered the potential General Data Protection Regulation (GDPR) implications of a recently reported data breach at Dixons Carphone, which involved 5.9 million payment cards and 1.2 million personal data records.
Dixons Carphone said there was no evidence that any of the cards had been used fraudulently following the breach, which attempted to compromise cards in one of the processing systems of Currys PC World and Dixons Travel stores.
Sources indicate that the breach began in July 2017, well before GDPR rules came into effect in May 2018, although Beazley noted that the incident was only reported after GDPR implementation, and suggested that the investigation may concern multiple incidents with different dates.
Raf Sanchez, Beazley’s International Data Breach Manager, said: “This breach is the first significant incident notified after the implementation of the new GDPR regime and it will be interesting to see how the UK’s privacy regulator, the Information Commissioner (ICO), reacts.
“The ICO has previously fined organisations that have demonstrated serious failings with respect to breaches in the past with Yahoo being fined £250,000 over a breach involving 500,000 UK customers and TalkTalk having been hit with a £400,000 fine after 150,000 customers’ details were accessed.”
Dixons Carphone claimed that the majority of cards targeted by the hacking attempt were protected by chip and pin verification, although as a precaution it notified the relevant card companies for approximately 105,000 non-EU issued payment cards that were potentially compromised.
The company also stated that it had “engaged leading cyber security experts and added extra security measures to our systems” and informed the relevant authorities, including the Information Commissioner’s Office (ICO), the Financial Conduct Authority (FCA), and the police.
Sanchez continued: “Less than a third of businesses have a formal policy on how they will address cyber security risks and many are unprepared for the complexities of the new mandatory breach reporting regime under GDPR.
“This breach and the speed with which management have moved to contain it and to communicate their efforts not just to regulators but also to the public shows just how important it is to be prepared. It is almost impossible to prevent breaches but if organisations want to survive these events they have to have a strategy to react and manage these incidents.”
Alex Baldock, Chief Executive Officer (CEO) at Dixons Carphone, also commented on the incident: “We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.
“We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected. Cyber crime is a continual battle for business today and we are determined to tackle this fast-changing challenge.”