Last week, UK retail chain Dixons Carphone suffered its second data breach in three years, this time resulting in the loss of 5.9 million payment cards and over a million personal records. And with the stolen data widely expected to be circulated on the dark web, you can expect this story to run and run.
On Wednesday, the company, which operates retail stores including Dixons Carphone, Currys PC World and Dixons Travel, discovered unauthorized access to its payment card data, with the attack traced as far back as July 2017. No substantial details of the compromise were given but the little bits they have provided suggest that the entire internal card system network had been compromised completely without detection for some time. In their press release they suggest that they found stolen data on an internal system but for some reason think the data was never copied from that location.
It’s believed that the attack may have started with the compromise of processing systems at Currys PC World and Dixons Travel stores, although fortunately the firm did confirm that 5.8 million of the compromised cards had chip and pin protection. As such, criminals capturing these details should not be able to obtain the pin code or card verification data required to make any purchases. That said, the firm did confirm that 105,000 non-EU issued payment cards do not have chip and pin protection. The chip protected cards are still usable by criminals when making purchases at online establishments not requiring additional verifications, which unfortunately still exist.
Dixons Carphone has notified the relevant card companies so that they could protect customers and, as it stands, says that it has not noticed any fraudulent activity on the cards. It is still unclear how the company would be aware of fraudulent transactions on any of the stolen credit cards, especially because they are a merchant and well, bluntly, never see the transactions in the first place. The card issuers however, will see fraudulent activity on those cards but attributing the fraud to this breach becomes problematic. The attack marks the second time the company – formerly known as Dixons Retail – has been breached in three years after a similar attack in 2015 resulted in the loss of up to 2.4 million customer records.
Alex Baldock, Dixon’s chief executive, admitted that the company had “fallen short” in efforts to protect its customers data, but added: “We are determined to put this right and are taking steps to do so.” These steps are said to include communicating with affected customers, improving security measures and engaging with “leading cybersecurity experts.” The firm is also in contact with the UK police, the national authority, the Information Commissioner’s Office (ICO) and The Financial Conduct Authority (FCA).
Britain’s National Crime Agency (NCA) is now leading a criminal investigation into the attack, with support from both the FCA and ICO.
Criminal Underworld Goes to Town; GDPR Looms Large
The bad news for the company is that the scale of this breach, and the nature of the details that have been compromised, mean that the impact of the attack could be felt for years. Just look at the infamous Target breach of 2013. Three years on from the attack, payment card details were still being offered to criminal groups on Tor, with some found as far away as Brazil and other South American countries.
As we discussed with the Financial Times, while Dixons has said that there is no evidence of fraud taking place, now the data is in the criminal sphere, it’s unlikely to be long before it starts being shopped around among criminals, with ensuing phishing and brute force attacks launched.
The data that has been compromised will most likely be sold or put on loan to a wholesaler who cuts the cream off the top and mixes and ages the rest of the data. This information is then parsed out in lumps to other wholesalers who sell it to the common street criminals who then resell it. Once in the hands of the direct sellers, a network of specialized criminal services – checkers, cloners, deeper fraud, re-shippers, and fake transactions services – all step in to fill the needs of the criminals with the data, who may not have the required skill to take advantage of it.
Dixons Carphone will be in touch with anyone who has been impacted, but anyone concerned would be advised to keep an eye on their bank accounts and watches out for obvious phishing attempts.
The other looming danger for the company will be the recently introduced General Data Protection Regulation (GDPR), which replaced the 1998 Data Protection Act on 25 May 2018.
GDPR enables local data protection authorities to fine companies that have been breached (and not taking the appropriate safeguarding measures to protect personal identifiable data) up to the sum of $26 million (or 4% of global annual revenue, whichever is higher).
Numerous industry experts have continually questioned if local data protection authorities like the ICO will have the resource or inclination to fine breached companies up to this amount, but it will certainly be a worry for Dixons Carphone considering its previous experience with the ICO. In February of this year, the firm was fined a UK record matching £400,000 (~$530,000) for the 2015 breach – although it did end up paying £320,000 (~$422,000) after there was a 20% reduction for early payment.
Ultimately, this is a story that will run and run for Dixons Carphone and its customers. How they deal with it could have huge short-term and long-term consequences.
Using an approach that protects the full transaction stack, Trusted Knight’s Protected Air prevents both fraud and cyber-attacks, from man-in-the-browser attacks, rootkits and session hijacking to account takeovers, more. This protection intercepts customer-side malware, prevents web app exploitation and stops transactional fraud. To learn more, click one of the buttons below.