Dixons Carphone breach: 10 times as many victims as first thought

Dixons says that the stolen records do not contain personal information

The number of people affected by the Dixons Carphone data breach has risen from an initial figure of 1.2 million to 10 million, the company has announced following an investigation.

Up to 1.2 million general user data files (including names, email and postal addresses) were stolen in the original breach, which took place in July last year, along with 5.9 million peoples' credit card details.

At the time, the company said that the credit card information theft was mostly a non-issue, as the majority of cards were protected by chip and PIN. About 105,000 cards were not covered in this way, presumably those owned by international travellers.

Dixons has now admitted that the breach was much larger than first thought, although added that any fraud is unlikely to result:

‘Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017. While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and there is no evidence that any fraud has resulted. We are continuing to keep the relevant authorities updated'.

CEO Alex Baldock said:

"Since our data security review uncovered last year's breach, we've been working around the clock to put it right. That's included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we're updating on today.

"As a precaution, we're now also contacting all our customers to apologise and advise on the steps they can take to protect themselves.

"Again, we're disappointed in having fallen short here, and very sorry for any distress we've caused our customers. I want to assure them that we remain fully committed to making their personal data safe with us."

The Information Commissioner's Office was only able to fine Dixons Carphone £400,000 after it announced the breach, as the incident took place before the GDPR came into effect.