Hacked retailer Dixons Carphone marks first major breach under GDPR

Dixons Carphone has confirmed it has suffered two data breaches involving details of 5.9m payment cards and 1.2m personal data records including addresses.

The specialist electrical and telecommunications retailer said that it had been investigating a hacking attempt since July of last year.

There is currently no evidence to suggest the card information that left its systems has been used fraudulently since the breach, Dixons said.

5.8m of these cards have chip and pin protection, according to Dixon, and the data accessed is said to contain neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made.

105,000 non-EU payment cards which do not have chip and pin protection have been compromised.

The insurance industry has since weighed in on these breaches, as it marks the first major incident since GDPR went into effect on May 25, 2018.

“This breach is the first significant incident under the new GDPR regime and it will be interesting to see how the UK’s privacy regulator, the Information Commissioner ICO), reacts," commented Raf Sanchez, international data breach manager at Beazley. “The ICO has previously fined organisations that have demonstrated serious failings with respect to breaches in the past with Yahoo being fined £250,000 over a breach involving 500,000 UK customers and TalkTalk having been hit with a £400,000 fine after 150,000 customers' details were accessed."

Sanchez noted that less than a third of businesses have a formal policy on how they will address cyber security risks, and that many are unprepared for the complexities of the new mandatory breach reporting regime under GDPR.

He continued: "This breach and the speed with which management have moved to contain it and to communicate their efforts not just to regulators but also to the public shows just how important it is to be prepared. It is almost impossible to prevent breaches but if organisations want to survive these events they have to have a strategy to react and manage these incidents."

David Legassick, head of cyber at CNA Hardy, said: “This is a clear example of plan beats no plan. Cyber threat is a boardroom risk. In our view, if the boardroom takes it seriously, then it becomes embedded within the culture. If the leadership are all on the same page, then Legal, HR, IT, Management and all business units are also on the same page with them and the organisation is much better enabled to withstand an attack.

"Events like this underscore how important it is we never stop learning – making sure the company can capture in detail how, when, where and why an incident occurred so there is a feedback loop that ensures each threat makes the cyber defence stronger. Cyber is always a case of what doesn’t kill us makes us stronger."

Make sure you are GDPR compliant and  confirm your email address to keep getting our daily emails

More of today's news

Hyperion buys 10% stake in Lloyd's managing agency Apollo

Nephila-backed MGA Volante secures $900m capacity treaty deal

Brit bolsters board with Willis Re, RBS and Catlin hires

Ardonagh expands into reinsurance with new Price Forbes broker

AEGIS London appoints non-exec director from Berkshire

RSG's StartPoint taps FI veteran from Liberty Specialty

Miller hires onshore energy specialist in US

Don't miss our insurtech email newsletter - sign up today