An interesting statement from Dixons Carphone.
It should be noted that this is listed as a potential breach, rather than proven.
1,200,000 personal records have been breached via unauthorised access. Additionally (in a separate incident), 5,800,000 chip and pin card details have been accessed and 105,000 non-EU card details that do not have chip and pin protection.
The data accessed in respect of these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made.
The card details may of course lead to attempted fraud and rightly the focus will be there but all too often we hear about personal details being a posed such as names, email addresses and postal addresses. This leaves victims open to attacks such as phishing and social engineering (there is an increase in such attacks by phone for example).
Under GDPR companies are obliged to use reasonable security measures. Guessing, it may be that whilst reviewing the systems in this light Carphone Dixons exposed a vulnerability in there existing systems and controls. The statement does make it clear that this was exposed as “part of a review of our systems and data“. If the systems are deemed to lack adequate security, GDPR could be used to place stringent audit controls on the company or even impose huge fines – especially if deemed negligent.
No further details provided but the ICO and relevant financial and law enforcement have been notified.
Ref: Statement from Dixons Carphone
Correction: company name is “Dixons Carphone”.