5.9 million Dixons Carphone customers have had their payment cards breached, and a further 1.2 million personal data records accessed in almost a year-long attack.
The electronics retailer revealed that hackers had gained access to the Currys PC World and Dixon Travel systems beginning last July, and the breach had only been patched recently. Of the cards affected in the hack, the majority were protected by chip and pin, however approximately 100,000 were older or non-European cards with no such protection.
The National Cyber Security Centre is working with the retailer in cleanup and review measures.
“Anyone concerned about fraud or lost data should contact Action Fraud,” said the NCSC. “We recommend that people are vigilant against any suspicious activity on their bank accounts.”
Dixons Carphone chief executive Alex Baldock said the company was addressing the attack, and apologised to customers.
“We are extremely disappointed and sorry for any upset this may cause.
“The protection of our data has to be at the heart of our business, and we’ve fallen short here.
“We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.”
The Information Commissioner’s Office said they were conducting an investigation into the breach, working with the NCSC and the Financial Conduct Authority.
“We will look at when the incident happened and when it was discovered as part of our work, and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts,” said a spokesman for the independent watchdog.
The distinction between which regulation the incident falls under could have large implications for Dixons.
Earlier data protection laws have a maximum fine of £500,000. However the recently enacted General Data Protection Regulation comes with a maximum fine of £17.6 million or 4% of global revenue.
The GDPR act came into effect May 25th, before the breach was located and shut down by Dixons.
The attack is not the only one Dixons has had to deal with in recent times. The Carphone Warehouse was hit with a breach in 2015, which resulted in a £400,000 fine from the ICO.