Dixons Carphone has suffered its first major blow since last year’s £4bn merger after admitting to a huge data breach that has put millions of customers at risk and sparked an investigation by the UK’s data watchdog.
The Information Commissioners Office (ICO) said yesterday that it is “making enquiries” into the attack after being notified by the high street retailer late last week.
Personal information belonging to up to 2.4m Carphone Warehouse customers, such as card details, addresses and dates of birth, may have been stolen, along with the encrypted credit card data of up to 90,000 customers.
The breach was revealed on Saturday after first being identified by on Wednesday, leading some customers to criticise the firm’s slow response in alerting people to the security issue.
Carphone Warehouse said it had taken immediate action to secure the systems and is contacting all those affected. A spokesperson said that so far no losses have been reported.
“We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems,” chief executive Sebastian James said.
“We are, of course, informing anyone that may have been affected, and have put in place additional security measures.”
The group, which trades as Carphone Warehouse, Currys and PC World in the UK and Ireland, said websites affected include e2save.com, Mobiles.co.uk and OneStopPhoneShop.co.uk.
It also provides services to TalkTalk Mobile, Talk Mobile, and to its own recently launched iD mobile network.
The Metropolitan Police said its Cyber Crime Unit had been notified of the breach but no formal allegation of a crime had been made.
The UK’s national fraud and internet crime reporting centre Action Fraud, said its team of experts will be processing and analysing all reports made by customers. “We will have a better idea of volume and nature of reporting as the week progresses,” a spokesperson for Action Fraud said.
BIGGEST ICO DATA FINES
■ In 2013, the The Information Commissioners Office (ICO) fined Sony £250,000 after its PlayStation Network Platform, containing private information belonging to millions of customers, was hacked into. The fine is the biggest handed out by the regulator to date.
■ Online holiday insurance company Staysure.co.uk was fined £175,000 in February this year after IT security failings let hackers access over 100,000 customer records. More than 5,000 customers had their credit cards used by fraudsters after the attack.
■ Think W3 Limited, an online travel services company, was fined £150,000 in July 2014 after using insecure coding which resulted in 1.1m credit and debit card records being hacked.
■ Hotel booking website Worldview received a £7,500 penalty in November 2014 following a serious data breach where a vulnerability on the company’s site allowed attackers to access the full payment card details of 3,814 customers.
■ Telecoms firm Vodafone was issued with a fixed monetary penalty in December last year for failing to comply with the personal data breach reporting requirements under the Privacy and Electronic Communications directive. The ICO did not disclose the amount.