Dixons Carphone has announced that it has suffered a massive data breach, involving nearly 6 million payment cards and the personal data of 1.2 million people.
The hack, which began in July last year, comes as a further blow to the organisation, as it announced only at the end of last month that it was closing 92 stores across the UK.
Although the details of 105,000 cards without chip and pin protection have been leaked, the company claims that it has no evidence that any had been used fraudulently.
The cards that happened to be chip and pin protected, totalling 5.8 million, did not have their pin codes, card verification values (CVV), or authentication data taken. This meant that unauthorised purchases could not be made.
Alex Baldock, who took over as chief executive in January, said that he was “extremely disappointed” and the that company had “fallen short”.
Baldock continued, saying that: “Cyber crime is a continual battle for business today and we are determined to tackle this fast-changing challenge.”
The company stated that hackers had tried to gain access to one of the processing systems of Currys PC World and Dixons Travel stores.
The firm mentioned that it had recently hired leading cyber-experts and had added extra security measures to its systems.
It also said that it will be writing to customers whose personal data had been breached, “to inform them, to apologise, and to give them advice on any protective steps that they should take.”
It said that: “We have taken action to close off this access and have no evidence it is continuing. We have no evidence to date of any fraudulent use of the data as result of these incidents. We have also informed the relevant authorities including the ICO, FCA and the police.”
Bryan Glick, editor in chief of Computer Weekly, speaking with the BBC, said that the data breach was “right up there” as one of the biggest to date involving a UK company.
In October 2016 TalkTalk received a record £400,000 fine after attackers breached the company’s systems and accessed the personal data of 156,959 customers, including their names, addresses, dates of birth, phone numbers, and email addresses.
In 15,656 cases, attackers were also able to access bank details and sort codes.
If the breach occurred after GDPR had come into force, the fine would have been 79 times higher, at around £59 million, according to The Register.
Being that the Dixons Carphone breach happened before 25 May 2018, it will escape a fine of around £17 million.
As it stands, it could now face a fine of around £500,000 by the Information Commissioner's Office (ICO).
An ICO spokesperson said: “We are liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers.”