Dissecting Dixons Carphone’s Breach & New Cybersecurity Mitigation Steps

By David Geer

It is commonplace to see headlines about criminal hackers breaching data that enterprises hold in care. Breaches of personal information put consumer privacy and finances at risk. Compromised consumer data hurts business’s reputations and puts them in jeopardy of fines, penalties, and lost revenues.

One enterprise victim of customer information and bank card theft, European electronics retailer Dixons Carphone has responded by putting new cybersecurity solutions in place even as they continue to ask themselves what happened. The ongoing story, breach aftermath, and company countermeasures are good forewarnings for those who would rather be forearmed than fail.

Dixons Carphone Breach & Updates

The data compromise of the European consumer electronics and telecom group — which owns Currys, PC World, Carphone Warehouse, and Dixons Travel stores — began in July 2017, although Dixons did not publish the news until June 13, 2018.

As of this writing, Dixons Carphone has not completed its investigation into the breach by cyberattack of 5.9 million consumer credit and debit cards and 10 million consumer data records. Unfortunately, no official details have come to light explaining exactly how the hackers were able to access such large quantities of personal data.

The criminal hackers got 5.9 million credit and debit card numbers but not the pin codes nor card verification values (CVV) for approximately 5.8 million of the cards, which had chip and pin protection. However, 105,000 of the 5.9 million cards did not have chip and pin protection; criminal hackers could have used or sold this card data for profit.

The stolen data records include consumer names, addresses, phone numbers, dates of birth, and email addresses. Customers whose data fell victim to the attack should expect phishing attempts by email, brute force attacks on various accounts by using their email addresses and guessing their passwords, and other scams.

Dixons Carphone’s technical details of the attack include statements about unauthorized access to and compromise of payment cards in one of its processing systems. The PCI Council and PCI-DSS standard govern the payment card protections that Dixons Carphone should have had in place. PCI-DSS adoption is broad in Europe. Dixons Carphone is a listed participant in the PCI-DSS.

Dixons Carphone said that some of its security systems were accessed using sophisticated malware. Experts suggest that the breach was probably successful because Dixons Carphone’s cybersecurity investments were below what was necessary to mitigate the attack. Dixons Carphone has since closed the security hole that permitted the unauthorized access and added new security measures. Where the company’s IT and cybersecurity funding was inadequate, they have increased it 300 percent.

Dixons Carphone Financial Penalties

The Information Commissioner’s Office (ICO) is deciding whether to fine Dixons Carphone under the GDPR or the earlier DPA98 data protection law. If the fine from the ICO falls under the DPA98, it could range from £400,000 to £500,000 (or US$529,568.00 to US$661,902.50 as of this writing).

Because Dixons Carphone operates some financial business units, the Financial Conduct Authority (FCA) could also fine the company based on how soon and how well they released data about the breach.

Dixons Carphone is facing legal action from potentially millions of affected consumers who Hayes Connor Solicitors are representing in a lawsuit. There is, of course, the brand damage as this is “another stain on the company’s reputation,” as the BBC reports. Dixons Carphone’s stock price fell 6-percent on news of the breach.

Dixons Carphone’s 2018 Annual Report reveals the company’s specific steps to mitigate future breaches

Dixons Carphone’s 2018 Annual Report reveals the specific cybersecurity risks the company faces and the measures that Dixons Carphone is taking. The risks the report lists include “vulnerability to attack, malware, and associated cyber risks,” with impacts such as “reputational damage, financial penalties, reduced revenue and profitability, deteriorating cash flow, and loss of competitive advantage.”

The report states the several steps that Dixons Carphone is taking to manage these risks, including:

• Investing in information security safeguards, IT security controls, monitoring, and in-house expertise and resources as part of a managed information security improvement plan-
• Forming an Information Security and Data Protection Committee comprised of senior management, set up with responsibility for oversight, coordination, and monitoring of information security policies and risk
• Defining and communicating an information security policy and standards
• Providing for training and awareness programs for employees
• Establishing an audit program over key suppliers’ information security standards
• Developing and using an ongoing program of penetration testing

Dixons Carphone shares in the report that its overall information security risk position has increased in 2017/18 as a result of an increasing external threat environment.