Dixons Carphone has announced it was the victim of a hack in which millions of customer bank card details were targeted.
According to Sky News, the firm has experienced an “unauthorised data access”, which could compromise the data of 5.9million cards in one of its processing systems for Currys PC World and Dixons Travel stores.
The company believes the hacking attempts began last July but there is no current evidence of any fraudulent use of information so far.
1.2million personal data records were also hacked, but the data was non-financial with the company insisting no evidence of fraud was witnessed at this stage.
The vast majority of the cards have chip and pin protection meaning no purchases could be made.
However, the firm has notified the card providers of non-EU issued cards without chip and pin technology to protect those customers’ accounts.
Chief Executive, Alex Baldock, said: "We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we've fallen short here.
"We've taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously."
"We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected."
The breach is currently being investigated by police and relevant regulators have been informed.
An ICO spokesman added: "An incident involving Dixons Carphone has been reported to us and we are liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers.”
The company's shares lost five per cent of their value when trading began following the latest disclosure. However, the firm could be losing far more, with a fine from the ICO potentially reaching £500,000 – the fine issued to TalkTalk for its failings following a major cyber-attack in 2015.
Not only that, but the reputational damage as an outcome of this hack could be crippling. One positive is Dixons Carphone has not attempted to cover up the incident and has followed ICO protocols in reporting the breach. Considering that failing to notify a breach can result a monetary penalty up to the value of £500,000, it's important to be honest.
How can I mitigate the risk of a breach at my firm?
The case highlights the importance of assessing the risks in your organisation and developing a plan to mitigate the impact of a potential hack - which includes tight security controls. But, don’t worry. As shown with this case, even large corporations cannot plan for every eventuality.
Karen O'Flaherty, Chief Operations Officer at Morgan McKinley, notes that there needs to be a cultural change to keep up with the new privacy regulations, however: “It would be naïve to think [you] have prepared for every eventuality,” she told The Independent. “A feature of the new regime is that it is based on general principles."
"Specificity is not always clear. That's a frustration and a challenge. It underlines the importance, however, of preparation.”
But I'm concerned about the fines for data breaches! What if I can't prevent one?
If a prudent organisation who has met a high number of the controls set out by the ICO experiences a data breach, but has informed the ICO right away and are working to mitigate the impact, they might be able to persuade the agency to minimise the fine.
Jonathan Maude, International Employment Law Partner at Vedder Price, acknowledges that the discussion points around GDPR for many are the dire consequences, but urges not to buy into the panic mentality.
“For a start, the enforcer doesn't have a track record for taking punitive action against companies that are slow to conform,” he said. “Its priority is to come down hard on data breaches and companies that hide the fact. If the ICO institutes a check and your plans aren't fully in place, you're likely to get an enforcement notice, but you won't go bust.”
HR Grapevine has also set out what to do if you do experience a data breach. More information can be found here.
