Dixons Carphone breach could be first significant test of GDPR rules

UK telecommunications retailer Dixons Carphone has reported the first significant data breach since the introduction of the General Data Protection Regulation (GDPR). The case could put the UK’s new GDPR regime to the test, although the first hurdle will be to establish whether the breach will fall under the updated law or be dealt with under the old 1998 Data Protection Act. Dixons Carphone confirmed two breaches that attempted to compromise 5.9 million payment cards in one of its processing systems used by Currys PC World and Dixons Travel. An internal investigation established that 5.8 million of the cards have chip and pin protection. Dixons Carphone does not hold the cards’ pin or CVV numbers. A further 105,000 non-EU-issued payment cards without chip and pin have been compromised. Dixons Carphone said card companies have been notified and there is no evidence of fraudulent transactions. The investigation also uncovered a breach of 1.2 million personal data records, including names, addresses and emails. Dixons Carphone said there is no evidence that the information left their systems or has been used for fraud. Dixons Carphone said it is working with cybersecurity experts and has added extra security measures to its systems. “We have taken action to close off this access and have no evidence it is continuing,” it said. The BBC reported that the breach dates to July last year but was only discovered a week ago. The UK’s Information Commissioner’s Office (ICO) said it is deciding whether the breach will be dealt with under the 2018 Data Protection Act, which incorporates GDPR rules and penalties, or its predecessor. “It is early in the investigation. We will look at when the incident happened and when it was discovered as part of our work, and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts,” said the ICO. The decision will be crucial to the financial impact on Dixons Carphone. If the 2018 Act is used, the company could face much higher penalties. Raf Sanchez, data breach manager at Beazley International, said: “The ICO has previously fined organisations that have demonstrated serious failings with respect to breaches in the past, with Yahoo being fined £250,000 over a breach involving 500,000 UK customers and TalkTalk having been hit with a £400,000 fine after 150,000 customers’ details were accessed.” Carphone Warehouse itself was fined £400,000 in 2015 for a breach, but Dixons Carphone said the latest incident is unrelated. Under the GDPR, companies could be liable for fines of €20m or 4% of annual turnover. Beazley said Dixons Carphone has moved quickly to contain the breach, inform regulators and notify the public. “It is almost impossible to prevent breaches but if organisations want to survive these events they have to have a strategy to react and manage these incidents,” Beazley said. David Legassick, head of cyber at CNA Hardy, agreed that Dixons Carphone had responded well to the breach. “This is a clear example of plan beats no plan,” Mr Legassick said. “Cyber threat is a boardroom risk. In our view, if the boardroom takes it seriously, then it becomes embedded within the culture. If the leadership are all on the same page, then legal, HR, IT, management and all business units are also on the same page with them, and the organisation is much better [able] to withstand an attack.”

Dixons Carphone breach could be first significant test of GDPR rules

Want to read this article?

Read Next

Insurtech partners with USAID on climate adaptation programme

ICEYE in data collaboration with Juniper Re on flood and wildfire

Senior appointments in Lockton’s crisis management team

European rates up overall but financial and cyber lines falling: Marsh

European Parliament approves regulation to tackle forced labour

Insurtech partners with USAID on climate adaptation programme

ICEYE in data collaboration with Juniper Re on flood and wildfire

Senior appointments in Lockton’s crisis management team

European rates up overall but financial and cyber lines falling: Marsh

European Parliament approves regulation to tackle forced labour

Want to read this article?

Read Next

Insurtech partners with USAID on climate adaptation programme

ICEYE in data collaboration with Juniper Re on flood and wildfire

Senior appointments in Lockton’s crisis management team

European rates up overall but financial and cyber lines falling: Marsh

European Parliament approves regulation to tackle forced labour

Related Articles