Dixons Carphone hit by new cyberattack as 6m cards hacked

Card data of 5.9m customers held by Dixons Carphone has been accessed by hackers, the retailer revealed on Wednesday, with records on 1.2m customers containing non-financial personal data also accessed.

While most of the customers' card data held on the processing systems of Currys PC World and Dixons Travel was protected by chip and pin systems, roughly 105,000 non-EU issued payment cards without such protection have been compromised.

Dixons said it had "no evidence of any fraud on these cards as a result of this incident", having immediately notified the relevant card companies of the data breach, as well as informing the police, the Information Commissioner’s Office and Financial Conduct Authority.

Earlier this year, the ICO fined the FTSE 100 group £400,000 over a 2015 cyberattack where more than 3m Carphone Warehouse customers' data was breached.

With this latest cyber assault having come to light as part of an internal review of the retailer's systems and data, a resulting investigation revealed that hackers also gained access to 1.2m records containing non-financial personal data, such as name, address or email address, Dixons said.

The retailer maintained that there was "no evidence that this information has left our systems or has resulted in any fraud at this stage", though this does not mean it has not occurred, and affected customers were being contacted with apologies and advice on any protective steps they should take.

Chief executive Alex Baldock, who started in April after previous boss Seb James stepped down after a six-year stint, said: "We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we've fallen short here.

"We've taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously. We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected."

The news adds to the Dixons Carphone's woes, coming fresh on the heels of a profit warning last month as new boss Baldock said "plenty of hard work" was needed to get the company back on track. The former Shop Direct CEO in part blamed "underinvestment in important areas" of the business under his predecessor.

An ICO spokesperson said: “An incident involving Dixons Carphone has been reported to us and we are liaising with the National Cyber Security Centre, the FCA and other relevant agencies to ascertain the details and impact on customers."

Analysts at Liberum said the fact that the cyberattack was revealed on the London Stock Exchange's regulatory news service "indicates the seriousness with which the company is taking the situation".

"However, we do not know whether the company has informed the ICO within the 72 hour required timeframe. What will be interesting is that this is the first breach since the GDPR regulations came into effect. What will the ICO do...?"

Any customers concerned about lost data and how it may be used should follow the advice of the police's Action Fraud service, the ICO advised.