Yesterday high-street retailer Dixons Carphone became the first big-name brand to admit to suffering a significant data breach since GDPR came into force last month, after it confirmed a review of its systems revealed “unauthorized access to certain data held by the company.” It’s been reported that this unauthorized access had taken place in July 2017, but appears to have only been discovered by the company this week.
The firm said its investigation into the incident is ongoing, but it believed that “there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores.”
However, 5.8 million of these cards were protected by chip and pin, Dixons Carphone explained, and the “data accessed in respect of these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made.” The company did confirm that approximately 105,000 non-EU issued payment cards which do not have chip and pin protection were compromised though, adding that there was “no evidence of any fraud on these cards as a result of this incident.”
Separately, the company’s investigation also found that 1.2 million records containing non-financial personal data, such as name, address or email address, had been accessed too. “We have no evidence that this information has left our systems or has resulted in any fraud at this stage,” the firm added.
The big question on everybody’s lips now will be what the breach will mean with regards to GDPR and possible financial penalties.
“As the first major data breach to hit headlines since GDPR was enforced last month, there will be many companies keeping a watchful eye over how this is handled,” said Ross Brewer, VP and MD EMEA, LogRhythm. “Under these new regulations, companies can be fined up to 4% of their annual turnover if they fail to protect their data, however, with this breach taking place pre-GDPR, it’ll be interesting to see what approach the ICO takes.
Well, according to Jonathan Armstrong, compliance & technology Lawyer, partner at Cordery, whilst it seems likely that GDPR will come into play, “we needn’t assume at this stage it is a breach reported under GDPR,” he told Infosecurity.
Armstrong explained that telecoms firms such as Dixons Carphone are subject to additional reporting obligations, but despite the firm confirming it has reported the breach to the Information Commissioner’s Office, it is currently unclear whether this will be a GDPR case or investigated under telecom regulatory laws. “It could of course be an investigation under both laws,” he added.
“If it is a GDPR investigation we can expect this to take some time,” he said. “The ICO will likely have to liaise with other regulators since the indication seems to be that individuals outside the UK are also affected. The ICO are likely to be asking Dixons Carphone a series of questions and will expect them to come back promptly with answers.”
In any case, huge fines need not necessarily follow, Armstrong continued. “The ICO will look at the company’s previous track record and how easy the breach would be to protect. If it’s a known vulnerability the fine is likely to be higher – if it’s a zero-day exploit they are likely to take this into account. The setting of fines under GDPR is complex and naturally both the ICO and Dixons Carphone will be looking at the aggravating and mitigating factors now and the details of the incident.”