It has been reported today that Dixons Carphone has announced that the huge data breach that took place last year involved 10 million customers, which is significantly up from its original estimate of 1.2 million. The company said personal information, names, addresses and email addresses may have been accessed, however no bank details were taken and it had found no evidence that fraud had resulted from the breach. The hackers also got access to records of 5.9 million payments cards, but nearly all of those were protected by the chip and pin system. IT security experts commented below.
Bill Evans, Senior Director at One Identity:
“It was recently revealed that the Dixon’s breach affected far more customers that originally reported, in fact, nearly 10 times as many. This deepening of the incident raises one question and one rather distressing paradox.
“First, how or why did the investigators miss so man breached records? They managed to find the first million but missed the other 9,000,000? Seems odd. It may be some time before we know as the details remain sketchy, but one has to wonder in this day and age of GDPR with its requirement for hyperauditing how this was missed.
“The paradox here is that Dixon’s reported that the information from most of the credit cards that were stolen were protected by the “pin & chip” security strategy. In the world of cyber security, this is known as multi-factor authentication whereby the user must know something (a password or pin) and have something (a mobile phone or credit card). It’s great that Dixon’s and its consumers were protected by this strategy. On the other hand, one has to wonder whether this same strategy was in place within the realm of the administrators at Dixon’s. Was this one of the lapses in security that contributed to the breach?
“Again, only time will tell what new security measures will be put in place to prevent another breach. It’s just a bit frustrating that it takes breaches like this to drive organisations to make the investment.”
Rob Shapland, Head of Awareness at Falanx Group:
“It can be difficult to track the extent of a data breach while still keeping customers informed in a timely manner, and therefore it’s quite common for the number of accounts that are affected to increase as investigation continues. However it does imply that Dixons Carphone may not have had sufficient protective monitoring in place to detect the breach and its extent.
The breach appears to have affected names, addresses, email addresses and other personal information. Although Dixons Carphone have not mentioned that passwords were compromised, it would be sensible for customers affected by the breach to change their password on all sites that used the same password. Customers should also monitor their bank accounts for any suspicious activities; although bank details were not taken, criminals can potentially use the personal information that was stolen to attempt to call banks and answer the security questions of those affected.”
David Emm, Principal Security Researcher at Kaspersky Lab:
“The news this morning that up to 10 million customers were affected by this data breach is a reminder that no organisation, large or small, can afford to ignore online security. Although the company has said that no bank details were taken in this attack, huge amounts of personal information – including names, addresses and email addresses – were accessed, along with records of nearly 6 million payment cards, affecting a huge amount of the population. This latest breach underlines how important it is for businesses to arm themselves against threats. By taking simple steps to secure their internal systems, firms can reduce their exposure to attack.”
Kaspersky Lab recommends the following advice for businesses to stay protected:
- Conduct a security audit – Identifying your business’s security strengths, weaknesses and opportunities for improvements will provide a good foundation for your future decision-making process on appropriate technology and other measures
- Choose the right anti-malware protection – Choosing the right security software will allow you to feel relaxed and comfortable that your business is adequately protected, without the hassle of managing an expensive or overly elaborate security solution
- Keep your software up to date – Apply updates to your operating systems and applications as soon as they become available (switch on automatic updates where this is available). Remember, programs that haven’t been updated are one of the key means that cybercriminals use to hack businesses
- Back up – Plan for the worst-case scenario: infection. It’s vital to back up your files – so that, if your documents are compromised, you can restore your files with minimal disruption
- Educate your staff about browsing behaviours – The starting point for most attacks is tricking people into doing something that allows attackers to get a foothold. Therefore, proactively educating your staff about the impact their online activity can have on the business will help to reduce your exposure to online threats significantly.
Tony Pepper, CEO at Egress Software:
“This morning Dixons Carphone has admitted that the huge data breach first reported in June was in fact more wide reaching than initially thought. Now reporting that 10 million records with personal data were affected, the data breach clearly enters ‘mega breach’ parameters, (mega breaches range from 1 million to 50 million records lost). Using figures from Ponemon Institute’s ‘Cost of a Data Breach’ study, these types of breaches are projected to cost companies between $40 million and $350 million respectively.
Whilst there is often a lot of speculation about the fine these highly publicised data breaches will receive from regulatory bodies like the ICO, what is often not initially considered are the ‘hidden’ expenses, such as reputational damage, customer turnover, and operational costs.
Although we shouldn’t lose sight of the fact that that Dixons Carphone is reacting yet again in a proactive manner by contacting affected data subjects and advising them on steps that can be taken to minimise the risk of fraud, it cannot be understated how damaging this could be from a brand and reputational standpoint. “
Joseph Carson, Chief Security Scientist at Thycotic:
“This is a common experience for many victims of a cybercrime – when you discover a breach, start your incident response and digital forensics, you will start to uncover many unexpected surprises. I believe that Dixons Carphone could carried out better incident response and communications relating to the impacted customers. Like many companies have done in the past, they disclosed data breach numbers while the digital forensics was still ongoing, and we are likely still to find out the real impact of this data breach. The good news is that they are working with cybersecurity professionals and implementing security and protection from unauthorised access which for many companies is still a major gap in cybersecurity today.”
Andy Norton, Director of Threat Intelligence at Lastline:
“Card Not Present Fraud cost the UK over 200 million pounds last year, and chip and pin security doesn’t help with this type of fraud. As with all estimates, they are given at a point in time. Upon further investigation Dixons found that the breach was 10 times more severe than they originally thought. They also state that as of today, there is no evidence to suggest fraud has arisen because of the breach. Unfortunately, given the accuracy of their previous statements, tomorrow may be a different story.”