6 million cards compromised in Dixons Carphone breach – act now!

By Matt Boddy, Sophos

June 13, 2018

In what could be the largest data breach since the GDPR came into effect, Dixons Carphone has revealed what it’s calling an “attempt to compromise 5.9 million [credit or debit] cards”, and a leak of “1.2m records containing non-financial personal data, such as name, address or email address”.

Dixons Carphone – a large European electrical and telecommunications company that owns familiar brands like Dixons, Currys, PC World and Carphone Warehouse – has only revealed vague details about the breach so far, but of the 5.9 million cards compromised:

  • 5.8 million are protected by Chip and PIN.
  • 105,000 non-EU issued cards are not protected by Chip and PIN.

The ICO (Information Commissioner’s Office) have issued a statement saying:

An incident involving Dixons Carphone has been reported to us and we are liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers.

Anyone concerned about lost data and how it may be used should follow the advice of Action Fraud.

If you’re a Carphone Warehouse customer, there is good news and bad news.

Let’s start with the good news.

The risk to the owners of the 5.8 million affected payment cards protected by chip and PIN is lowered because crooks will likely need additional data in order to use them to make transactions. According to Dixons Carphone:

The data accessed in respect of these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made.

That being said, there has also been a loss of personal data which could include contact details for the individuals affected by the card theft.

Now the bad news.

The data that has been stolen makes it much easier for crooks to acquire the rest of the information they need to use your Chip and PIN credit card.

After a breach of this sort, the crooks have what they need to create personalised lures, such as social engineering or phishing attacks that extract the missing information in return for free phone upgrades, payment checks or other services.

Terms of Use | Copyright © 2002 - 2017 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement