Earlier this summer, customers of popular UK high street stores Currys PC World, Carphone Warehouse, and Dixons Travel were warned that hackers had breached one of the processing systems used by its stores, and made off with 5.9 million payment cards and the personal data records of 1.2 million individuals.
Now parent company Dixons Carphone is saying that some 8.8 million *more* customers may be impacted by the breach which occurred in 2017.
The silver lining on the cloud, however, is that Dixons Carphone believes that these breached records do not contain payment card information or bank account details. It also says that it has seen no evidence that any fraud has taken place as a result of the breach.
Nonetheless, there’s clearly ample opportunity for scammers to use breached details such as customers’ contact information and email addresses in an attempt to defraud unsuspecting customers.
Dixons Carphone Chief Executive Alex Baldock has apologised to customers:
“Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right. That’s included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today.”
“As a precaution, we’re now also contacting all our customers to apologise and advise on the steps they can take to protect themselves. Again, we’re disappointed in having fallen short here, and very sorry for any distress we’ve caused our customers. I want to assure them that we remain fully committed to making their personal data safe with us.”
The company is no stranger to finding itself in the media spotlight over hacks.
In 2015, Carphone Warehouse (which was then a separate company) warned that approximately three million customers had been put at risk after its IT systems were breached by hackers.
The hack resulted in the Information Commissioner’s Office (ICO) issuing a £400,000 fine earlier this year.
Listen to more discussion about this topic in this episode of the “Smashing Security” podcast: