Securing business data
media hub

Media Hub

News - Events - Videos - Blog - Presentations - White Papers - Newsletters

Dixons Carphone admits to massive data breach - 5.9 million payment card details.

by Giulia Foss | Jun 13, 2018
The latest and indeed one of the biggest data breaches to hit a UK company has been revealed. Dixons Carphone, has admitted that a breach involving 5.9 million payment cards and 1.2 million personal data records took place last year.

shutterstock_1100919551

The latest and indeed one of the biggest data breaches to hit a UK company has been revealed. Dixons Carphone, has admitted that a breach involving 5.9 million payment cards and 1.2 million personal data records took place last year.

Although the figures are startling, the company still maintain that there was "an attempt to compromise" 5.8 million credit and debit cards but only 105,000 cards without chip-and-pin protection had been leaked.

Currently Dixons Carphone are investigating what might have happened, the company believe that hackers tried to gain access to one of their processing systems. But there are now questions as to why the breach has taken so long to be made public - owing that it occurred in July 2017 - and why the vulnerability wasn’t spotted earlier, particularly in light of their first breach.

Not the first time…but maybe the last time?

As we are aware, Carphone Dixon had suffered a previous breach. In 2015 the company was hacked and resultantly paid a £400,00 fine. This time around the breach is far more serious and wide ranging, and as a result of timing, there has been speculation as to whether or not the company will be liable to pay more substantial fines in relation to GDPR.

If so, respective fines could equate to up to 20 million Euros, or 4% of annual turnover.  Either of which would be crippling for the already lagging retail giant.  The company has reported a huge loss in profits, which has led to the decision to close almost 10% of their Carphone Warehouse stores.

Luckily for Dixons, the most recently reported breach occurred before the instatement of the GDPR legislation, which means they are not liable to pay large swathes of money. However, as with all branches, the reputational damage has created a negative financial impact meaning the company’s shares fell more than 3% in early trading.

Should you be concerned about your details?

In this particular case, hackers have accessed records and payment details. This is serious and somewhat unusual, often when a breach occurs it tends to be mainly names, email addresses and login details that are stolen.

Having said this, it’s important to bear in mind that the majority of card details obtained are protected by the extra layer of chip & pin security. In addition to this, there have been no reports of fraudulent activity on any of those cards not protected by chip & Pin.

In response to the revelation, Editor in Chief of Computer Weekly, Bryan Glick, said the breach was "right up there" as one of the largest involving a UK company.

Glick went on to say that. "If you've not heard from Dixons Carphone to warn you, the chances are you're OK,"

What next…

Dixons Carphone have many questions to answer moving forward. Customers and bodies such as the UK Information Commissioner's Office (ICO) – who fined the company previously- will be keeping a close eye. Beyond the legal wrangling the company is likely to face, the real damage is one of brand reputation. This is something that is hard to quantify both financially and in terms of lasting impact.

What should you do following a security breach? Here are the Five key steps to take…

So, the worst has happened, and your organisation has suffered a security breach. What are the first things you need to do to ensure that your risk is minimised?

 

  1. Triage

    Don't panic - it may be a natural reaction, but from our experience, it doesn't solve anything. Avoid the temptation to simply pull the plug or turn the machines off. Directly after a breach, things often seem worse than they are. Your main goal should be business continuity. To do this, it's important to establish the nature and extent of the incident. Is it something that has been seen before, such as a common ant-virus incident? If so what steps need to be taken to control the impact of the incident?
  2. Data analysis

    Carefully analysing the data involved in the incident is crucial to understanding what actually happened. It may sound simple but over the years, we have seen too many cases that are misdiagnosed early on, resulting in incorrect remedial actions. By assigning an expert to handle the incident, you can be sure the responsibility of incident management and coordination is taken care of, so that you can focus on getting your organisation back to its normal state of operation.

  3. Communication

    One of the biggest issues we see with incident response is a lack of internal communication - from board level down. Depending on the type of incident, it may be that communication with the rest of the organisation and external bodies such as third-party agencies, customers and regulatory authorities is necessary. If that is the case, it's important to ensure communication only occurs through the pre-planned and established channels.

    Communication needs to be an on-going process throughout the organisation. When a security incident occurs, everyone needs to be fully trained and aware of their role and responsibilities. Putting security incident playbooks in place for each department can be one way to keep staff aware of what they are and are not allowed to do in the wake of a breach.

  4. Resolve and recover

    Assuming the incident handler and the technical team assigned to the incident has control, you should be on the way to resolving the issue and heading towards recovery. The road to recovery may involve rolling back disaster recovery (DR) applications, beginning to restore data from backups or simply closing the incident. Whatever the situation, the incident will not be properly resolved until all recovery actions are complete.

     

  5. Lessons learned

    Following an incident, organisations can be quick to fall back into routine. It's important that you learn from every security incident to minimise the risk of it taking place in the future. Ask yourself; what can we implement to better protect ourselves? If this happens again, have we done enough to minimise the risk and disruption? Does everyone know their role and are they aware of the role they play in keeping the organisation secure?

    One of the first things we introduce when discussing incident response plans with customers is Security Incident Playbooks. This works by identifying key risk areas, determining what working state you are operating in and ensuring everyone is aware of the appropriate actions.

    Simple steps, like ensuring all data and devices are properly encrypted, and keeping access to classified information limited, can also minimise the risk of a security incident. Most people think a security incident has to be a major breach, but more often than not they are the result of something much more basic.

    Often organisations rely on the IT department to provide a high level of cyber security, but it's rarely the case they have the man power or knowledge to provide the required level of service. By outsourcing incident response, organisations can be sure they have a dedicated team on hand, who know what to look out for and are ready to respond.

To find out more about CNS Group's incident response service, click here

Videos & Webinars

Presentations from The Security Chapter

age of austerity get you pwned

White Papers See all whitepapers

Dixons Carphone admits to massive data breach - 5.9 million payment card details.

by Giulia Foss | Jun 13, 2018
The latest and indeed one of the biggest data breaches to hit a UK company has been revealed. Dixons Carphone, has admitted that a breach involving 5.9 million payment cards and 1.2 million personal data records took place last year.

shutterstock_1100919551

The latest and indeed one of the biggest data breaches to hit a UK company has been revealed. Dixons Carphone, has admitted that a breach involving 5.9 million payment cards and 1.2 million personal data records took place last year.

Although the figures are startling, the company still maintain that there was "an attempt to compromise" 5.8 million credit and debit cards but only 105,000 cards without chip-and-pin protection had been leaked.

Currently Dixons Carphone are investigating what might have happened, the company believe that hackers tried to gain access to one of their processing systems. But there are now questions as to why the breach has taken so long to be made public - owing that it occurred in July 2017 - and why the vulnerability wasn’t spotted earlier, particularly in light of their first breach.

Not the first time…but maybe the last time?

As we are aware, Carphone Dixon had suffered a previous breach. In 2015 the company was hacked and resultantly paid a £400,00 fine. This time around the breach is far more serious and wide ranging, and as a result of timing, there has been speculation as to whether or not the company will be liable to pay more substantial fines in relation to GDPR.

If so, respective fines could equate to up to 20 million Euros, or 4% of annual turnover.  Either of which would be crippling for the already lagging retail giant.  The company has reported a huge loss in profits, which has led to the decision to close almost 10% of their Carphone Warehouse stores.

Luckily for Dixons, the most recently reported breach occurred before the instatement of the GDPR legislation, which means they are not liable to pay large swathes of money. However, as with all branches, the reputational damage has created a negative financial impact meaning the company’s shares fell more than 3% in early trading.

Should you be concerned about your details?

In this particular case, hackers have accessed records and payment details. This is serious and somewhat unusual, often when a breach occurs it tends to be mainly names, email addresses and login details that are stolen.

Having said this, it’s important to bear in mind that the majority of card details obtained are protected by the extra layer of chip & pin security. In addition to this, there have been no reports of fraudulent activity on any of those cards not protected by chip & Pin.

In response to the revelation, Editor in Chief of Computer Weekly, Bryan Glick, said the breach was "right up there" as one of the largest involving a UK company.

Glick went on to say that. "If you've not heard from Dixons Carphone to warn you, the chances are you're OK,"

What next…

Dixons Carphone have many questions to answer moving forward. Customers and bodies such as the UK Information Commissioner's Office (ICO) – who fined the company previously- will be keeping a close eye. Beyond the legal wrangling the company is likely to face, the real damage is one of brand reputation. This is something that is hard to quantify both financially and in terms of lasting impact.

What should you do following a security breach? Here are the Five key steps to take…

So, the worst has happened, and your organisation has suffered a security breach. What are the first things you need to do to ensure that your risk is minimised?

 

  1. Triage

    Don't panic - it may be a natural reaction, but from our experience, it doesn't solve anything. Avoid the temptation to simply pull the plug or turn the machines off. Directly after a breach, things often seem worse than they are. Your main goal should be business continuity. To do this, it's important to establish the nature and extent of the incident. Is it something that has been seen before, such as a common ant-virus incident? If so what steps need to be taken to control the impact of the incident?
  2. Data analysis

    Carefully analysing the data involved in the incident is crucial to understanding what actually happened. It may sound simple but over the years, we have seen too many cases that are misdiagnosed early on, resulting in incorrect remedial actions. By assigning an expert to handle the incident, you can be sure the responsibility of incident management and coordination is taken care of, so that you can focus on getting your organisation back to its normal state of operation.

  3. Communication

    One of the biggest issues we see with incident response is a lack of internal communication - from board level down. Depending on the type of incident, it may be that communication with the rest of the organisation and external bodies such as third-party agencies, customers and regulatory authorities is necessary. If that is the case, it's important to ensure communication only occurs through the pre-planned and established channels.

    Communication needs to be an on-going process throughout the organisation. When a security incident occurs, everyone needs to be fully trained and aware of their role and responsibilities. Putting security incident playbooks in place for each department can be one way to keep staff aware of what they are and are not allowed to do in the wake of a breach.

  4. Resolve and recover

    Assuming the incident handler and the technical team assigned to the incident has control, you should be on the way to resolving the issue and heading towards recovery. The road to recovery may involve rolling back disaster recovery (DR) applications, beginning to restore data from backups or simply closing the incident. Whatever the situation, the incident will not be properly resolved until all recovery actions are complete.

     

  5. Lessons learned

    Following an incident, organisations can be quick to fall back into routine. It's important that you learn from every security incident to minimise the risk of it taking place in the future. Ask yourself; what can we implement to better protect ourselves? If this happens again, have we done enough to minimise the risk and disruption? Does everyone know their role and are they aware of the role they play in keeping the organisation secure?

    One of the first things we introduce when discussing incident response plans with customers is Security Incident Playbooks. This works by identifying key risk areas, determining what working state you are operating in and ensuring everyone is aware of the appropriate actions.

    Simple steps, like ensuring all data and devices are properly encrypted, and keeping access to classified information limited, can also minimise the risk of a security incident. Most people think a security incident has to be a major breach, but more often than not they are the result of something much more basic.

    Often organisations rely on the IT department to provide a high level of cyber security, but it's rarely the case they have the man power or knowledge to provide the required level of service. By outsourcing incident response, organisations can be sure they have a dedicated team on hand, who know what to look out for and are ready to respond.

To find out more about CNS Group's incident response service, click here

Newsletters

Cyber Security News is a digital CNS Group publication.

Issued weekly, with fresh editions posting to the web each Friday, this online newsletter features all the news from the world of information assurance and IT security worth seeing. Curated by CNS Group, the UK's leading independent Information Assurance and InfoSec consultancy and services provider.

call us

Get in touch

Talk to our experts today +44 (0) 20 7592 8800

Send us a message

We'll get back to you Send us a message

Connect with us

See what we're saying elsewhere