Dixons Carphone has said that around 10 million personal records were accessed in the major data breach reported in June, considerably more than its original estimate of 1.2 million.
The retailer, which operates the Carphone Warehouse and Currys PC World chains, said it has been investigating the hack since it was uncovered last month, working with cyber-security experts and adding security measures to safeguard customer information.
It said its investigation had revealed that almost 10 times the number of personal records – containing names, addresses or e-mail addresses – had been accessed in 2017 than first thought and there was evidence that some of that data had left its systems.
Although it confirmed these 10m records did not contain payment card or bank account details, and there was “no evidence that any fraud has resulted”, the company revealed in June that as well as personal records, 5.9m payment cards were compromised – 5.8m of which had chip and pin protection.
New Dixons Carphone chief executive Alex Baldock said the firm was “very sorry for any distress” caused and was “fully committed” to making customer data safe.
Confirming the firm had successfully shut down the unauthorised access, Baldock said: “As a precaution, we are choosing to communicate to all of our customers to apologise and advise them of protective steps to minimise the risk of fraud.
“We continue to make improvements and investments at pace to our security environment through enhanced controls, monitoring and testing.”
Alex Neill, Which? managing director of home products and services, said: “Dixons Carphone customers will be alarmed to hear about this massive data breach and will be asking why it has taken so long for the company to uncover the extent of its security failure.
“It’s now critical that the company moves quickly to ensure those affected get clear information about what has happened and what steps they should take to protect themselves.
“Anyone concerned they could be at risk of fraud should consider changing their online passwords, monitor bank and other online accounts and be wary of e-mails regarding the breach as scammers may try and take advantage of it.”
Ben Boswell, vice president, Europe at technology solutions firm World Wide Technology, said: “Under GDPR, data governance, including secure storage, access, audit and mapping, is now a direct responsibility of the business, and failure to comply can lead to heavy fines.
“To avoid a similar crisis, the first step organisations must take is to understand the intricacies of the existing security structure. This will enable them to be able to detect unusual activity and put a quick response in place to safeguard sensitive customer data.
“As the influx of IoT (Internet of Things) technology remodels the retail landscape and increases cybersecurity risks, systems that continually monitor and react to data anomalies are the key to fast responses to security breaches. Without these systems in place, retail organisations will continue to expose customer data to security compromises and risk not only sensitive customer information but also incur crippling fines under GDPR.”