Dixons Face Massive GDPR Fine after Breach Affecting Card Details of 5.9m Customers

An investigation is currently underway into one of the UK’s biggest data breaches at a single company following unauthorised access to 5.9 million Dixons Carphone customers’ cards being made available.

Dixons Carphone discovered the massive data breach while it was auditing its systems and data. Dixons said there was efforts made to compromise the cards in a processing system at Currys PC World and Dixons Travel, but said there was no proof evident to suggest fraud occurred due to the incident.

In a subsequent breach, personal data including names, addresses or email addresses have been obtained. However Dixons said there was no evidence that it had resulted in inappropriate or illegal use of the information.

Alex Baldock, its chief executive, apologised for the data breach and admitted the company had failed its customers. He said: “We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.”

The retailer will be contacting affected customers via mail shortly“to inform them, to apologise, and to give them advice on any protective steps they should take”.

5.8m of the 5.9m cards that were accessed illegally were chip and pin protected, and no pin codes, card verification values (CVV) or authentication data was obtained, meaning purchases could not be completed. However, about 105,000 payment cards from outside the EU and without chip and pin protection were obtained. Dixons said it had alerted the banks involved and they had not discovered any fraudulent purchases on customer accounts.

Under the General Data Protection Regulations rules, Dixons could be sanctioned with a maximum of €20m (£17.6m) or 4% of global turnover, whichever is the higher.