Currys PC World data breach, 1.2m records compromised

30
Found 13th JunEdited by:"BuzzDuraband"
Just been reading this and thought I'd pop up a little heads up

Sky News are saying...

"The company said there was there was an attempt to compromise 5.9 million cards in one of its processing systems for Currys PC World and Dixons Travel stores."

The investigation has found that 1.2m records containing non-financial personal data - such as name, address and email - had been accessed.

Currys PC World have said there's no evidence any data has left their systems and is in the process of contacting affected customers to apologise.

"We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.

We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected."

[City A.M.com]

The majority of these cards had chip and protection, according to the company, which said the data accessed did not contain pin codes, card verification values, nor any data enabling cardholder identification. But around 105,000 non-EU issued payment cards had been compromised.

The company has notified the relevant card companies so they can take appropriate measures to safeguard customers, and said there was no evidence of fraud on these cards as a result of the incident.
Community Updates
Updated 31st July: In the news today that the original estimate of 1.2 million is nearer to 10 million for the data breach

"Dixons Carphone has said a huge data breach that took place last year involved 10 million customers, up from its original estimate of 1.2 million.

The Carphone Warehouse and Currys PC World owner has been investigating the hack since it was discovered in June.

It said personal information, names, addresses and email addresses may have been accessed last year.

However, no bank details were taken and it had found no evidence that fraud had resulted from the breach."

Anyone concerned they could be at risk of fraud should consider changing their online passwords, monitor bank and other online accounts and be wary of emails regarding the breach as scammers may try and take advantage of it.

More info on the BBC
Misc
30 Comments
If only crypto was main stream. Sick of this crap.
Why is it that they all wait for a breach to "take this seriously and put measures in place" What happened to being proactive so you don't lose face... And your business???
laurentmahe1 m ago

Why is it that they all wait for a breach to "take this seriously and put …Why is it that they all wait for a breach to "take this seriously and put measures in place" What happened to being proactive so you don't lose face... And your business???


as with any business there is a cost vs benefit vs risk analysis, and i presume in this instance their result was not to spend the money.
I'm surprised at this, because actually from a technical POV, I've always been impressed with the Dixons Carphone websites. They get regularly updated and follow modern standards in the main. Clearly something major has gone wrong here, but they're almost the last company I'd expect this from.
adamspencer9513 m ago

as with any business there is a cost vs benefit vs risk analysis, and i …as with any business there is a cost vs benefit vs risk analysis, and i presume in this instance their result was not to spend the money.



I fully appreciate this, but let's be honest, there should be no doubt that having a data breach is going to have a serious financial impact on your business.
Loss of trust = loss of sales to start with, on top of the expenditure of getting cyber security experts or the like to review your estate, which eventually turns out to be a must: either you do it proactively or you do it after a breach.. Though doing it after a breach will mean results are required ASAP and therefore cost more.
And let's not forget the latest comer to the game, GDPR with its massive potential fines...

In this day and age where everything get rocketed to the top of social media platforms in matter of seconds, why would you risk it?Or am I just too naive?
laurentmahe20 m ago

Why is it that they all wait for a breach to "take this seriously and put …Why is it that they all wait for a breach to "take this seriously and put measures in place" What happened to being proactive so you don't lose face... And your business???


Maybe they don't know there's a particular weakness in the system until someone hacks it.
adamspencer9527 m ago

as with any business there is a cost vs benefit vs risk analysis, and i … as with any business there is a cost vs benefit vs risk analysis, and i presume in this instance their result was not to spend the money.


Clearly, but how much does state of the art data security cost compared to the run of the mill security? Were they saving a million pounds? Hundred million? Just hard to believe this still happens in 2018.
use cash, cash is king , plastic and contactless costs a fortune to secure,
laurentmahe57 m ago

I fully appreciate this, but let's be honest, there should be no doubt …I fully appreciate this, but let's be honest, there should be no doubt that having a data breach is going to have a serious financial impact on your business.Loss of trust = loss of sales to start with, on top of the expenditure of getting cyber security experts or the like to review your estate, which eventually turns out to be a must: either you do it proactively or you do it after a breach.. Though doing it after a breach will mean results are required ASAP and therefore cost more.And let's not forget the latest comer to the game, GDPR with its massive potential fines...In this day and age where everything get rocketed to the top of social media platforms in matter of seconds, why would you risk it?Or am I just too naive?


i never said i agreed with their decision, merely explaining how it came about

also bear in mind that no security system is inpenetrable with sufficient time and resource
"We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business ...

= equals =

"We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business , we don't know nor want to tell you how much money that we actually spent or continue to spend, to protect your data per customer and we never publish on our company web site, security effectiveness actual performance results; ; just trust us and our heart for you. We don't have a hotline data protection and security responsible manager whose email name and telephone you can use to contact us if you got serious concerns and issues. In the meantime, you can read up our beautifully worded wish policy statement on our web site, however, we don't actually show actuals and how our wish is reaslised, if at all ever realisable. This is the only data we truly guard with lock and key.

...I bring always my best public relations speak for you. This is because our Data Controller and dozens of managers do not speak nor write as well as me.

------------------

Their share price nose dived, this is severe. The share price is factoring massive payout and catastrophic confirmation of Data Protection Act breaches, paves the way for civil damage claims by customers who suffer loss.
Edited by: "splender" 13th Jun
Should be fined, shame someone like the government doesn't hold them accountable
Started getting alerts last night re account access, this was prob why
Edited by: "goonertillidie" 13th Jun
Its my opinion, that any large business should be hiring ethical hackers to try a breach their systems.
Then they'd have a better understanding about plugging the leaks, before the damage was done.
SkyNews now say:
Dixons Carphone says it has been the victim of an "unauthorised data access" in which millions of customer bank card details were targeted over the past 12 months.

The company believed there were attempts since last July - only discovered over the past week - to compromise 5.9 million cards in one of its processing systems for Currys PC World and Dixons Travel stores.


It said there was currently no evidence of any fraudulent use of the information - with the vast majority of the cards having chip and pin protection.

However, Dixons Carphone said it had notified card providers to 105,000 non-EU issued cards that did not have chip and pin technology so those customers could be immediately protected.


They failed to notice for the past year?
Edited by moderator: "removed profanity" 13th Jun
Just another reason not to shop there.....not like we dont need any more mind u.....
Dando834 h, 41 m ago

Clearly, but how much does state of the art data security cost compared to …Clearly, but how much does state of the art data security cost compared to the run of the mill security? Were they saving a million pounds? Hundred million? Just hard to believe this still happens in 2018.


Incidents like this occur because it is 2018... or, rather, because the methods to circumvent security can be exchanged in seconds with tens of thousands of interested parties around the globe due to the advent of technology.

The data extracted can also be made available very soon thereafter, & the organisations affected have little-to-no idea any information has been compromised until much later.

It could be worse...

Imagine taking a Toshiba laptop into PC World at Cribbs Causeway in Bristol in 1997, entrusting your data with the staff tasked with fixing a software fault, & also instructing them not to look at the files.

If you store any information with a third party, there is always the possibility that it will be used without your consent & outside of your control... regardless of the year.

Cloud Computing storage & Cashless payment device databases will be the next targets.
y2rotstar3 h, 10 m ago

SkyNews now say:Dixons Carphone says it has been the victim of an …SkyNews now say:Dixons Carphone says it has been the victim of an "unauthorised data access" in which millions of customer bank card details were targeted over the past 12 months.The company believed there were attempts since last July - only discovered over the past week - to compromise 5.9 million cards in one of its processing systems for Currys PC World and Dixons Travel stores.It said there was currently no evidence of any fraudulent use of the information - with the vast majority of the cards having chip and pin protection.However, Dixons Carphone said it had notified card providers to 105,000 non-EU issued cards that did not have chip and pin technology so those customers could be immediately protected.They failed to notice for the past year?



They are not serious enough about security. They said, "It said there was currently no evidence of any fraudulent use of the information - with the vast majority of the cards having chip and pin protection."

They haven't said, "We have an incentive scheme in house, any one who finds any evidence is rewarded with an employee award of from £10,000 to £100,000."

Performance pay for executives always bring the best. The same rule applies to security executive technicians.
Dixons' IT systems were outsourced to HCL India in 1997.
ismael.florit11 h, 29 m ago

If only crypto was main stream. Sick of this crap.


If prices carry on the way there are, it will not be main stream but up the swanny!
We should get compo... a free £313 voucher would suffice!

Aye @nihir
fanpages9 h, 9 m ago

Incidents like this occur because it is 2018... or, rather, because the …Incidents like this occur because it is 2018... or, rather, because the methods to circumvent security can be exchanged in seconds with tens of thousands of interested parties around the globe due to the advent of technology.The data extracted can also be made available very soon thereafter, & the organisations affected have little-to-no idea any information has been compromised until much later.It could be worse...Imagine taking a Toshiba laptop into PC World at Cribbs Causeway in Bristol in 1997, entrusting your data with the staff tasked with fixing a software fault, & also instructing them not to look at the files.If you store any information with a third party, there is always the possibility that it will be used without your consent & outside of your control... regardless of the year.Cloud Computing storage & Cashless payment device databases will be the next targets.



It could ruin a Glittering career.
fanpages10 h, 3 m ago

Incidents like this occur because it is 2018... or, rather, because the …Incidents like this occur because it is 2018... or, rather, because the methods to circumvent security can be exchanged in seconds with tens of thousands of interested parties around the globe due to the advent of technology.The data extracted can also be made available very soon thereafter, & the organisations affected have little-to-no idea any information has been compromised until much later.It could be worse...Imagine taking a Toshiba laptop into PC World at Cribbs Causeway in Bristol in 1997, entrusting your data with the staff tasked with fixing a software fault, & also instructing them not to look at the files.If you store any information with a third party, there is always the possibility that it will be used without your consent & outside of your control... regardless of the year.Cloud Computing storage & Cashless payment device databases will be the next targets.



Oneday7753 m ago

It could ruin a Glittering career.



Gadd you saw the connection.
Isn't this news? Thought this sort of chat was banned now? Maybe I'm mistaken.
In part I feel for these organisations, as the thief is rarely caught and if so faces a lesser punishment than that of an honest company just trying to make some money. Until cyber crime and crime in general is viewed diffently with regards to punishment it will always continue. When I was young I use to hear words to the effect, "crime doesn't pay". It needs to be updated to, "crime will cost you deer". I understand about PCA, and fines but are these enough to pay the courts, police, and victims. Yet the irony is money can be spent on rehabilitation of offenders because company' like Tesco, Talk Talk, and Currys can easily be fined.
hubcms7 m ago

In part I feel for these organisations, as the thief is rarely caught and …In part I feel for these organisations, as the thief is rarely caught and if so faces a lesser punishment than that of an honest company just trying to make some money. Until cyber crime and crime in general is viewed diffently with regards to punishment it will always continue. When I was young I use to hear words to the effect, "crime doesn't pay". It needs to be updated to, "crime will cost you deer". I understand about PCA, and fines but are these enough to pay the courts, police, and victims. Yet the irony is money can be spent on rehabilitation of offenders because company' like Tesco, Talk Talk, and Currys can easily be fined.



How many deer?

34006571-2xZtY.jpg

34006571-0Y1gU.jpg
More than that, lots more 😁
hubcms17 h, 12 m ago

More than that, lots more 😁



"crime does deer you" is correct "street" lingo.

The CEO and their directors at Carphonewarehouse deered you.
I'm a little confused by your comments however as long as I remained fully clothed and unharmed at all times I guess I'm ok!
fanpages13th Jun

Incidents like this occur because it is 2018... or, rather, because the …Incidents like this occur because it is 2018... or, rather, because the methods to circumvent security can be exchanged in seconds with tens of thousands of interested parties around the globe due to the advent of technology.The data extracted can also be made available very soon thereafter, & the organisations affected have little-to-no idea any information has been compromised until much later.It could be worse...Imagine taking a Toshiba laptop into PC World at Cribbs Causeway in Bristol in 1997, entrusting your data with the staff tasked with fixing a software fault, & also instructing them not to look at the files.If you store any information with a third party, there is always the possibility that it will be used without your consent & outside of your control... regardless of the year.Cloud Computing storage & Cashless payment device databases will be the next targets.


If these people spent their time on noble pursuits they'd probably make more money.
Just received an update from these jokers...

dixonscarphone.com/mes…age

13 Aug 2018


Important message from Dixons CarphoneOn June 13, we began to contact a number of our customers as a precaution after we found that some of our security systems had been accessed in the past using sophisticated malware.

We promptly launched an investigation. Since then we have been putting further security measures in place to safeguard customer information, increased our investment in cyber security and added additional controls. In all of this we have been working intensively with leading cyber security experts.

Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017. This unauthorised access to data may include personal information such as name, address, phone number, date of birth and email address.

While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and we have no confirmed instances of customers falling victim to fraud as a result. We are continuing to keep the relevant authorities updated.

As a precaution, we are letting our customers know to apologise and advise them of protective steps to take to minimise the risk of fraud. These include:

  • If you receive an unsolicited email, letter, text or phone call asking for personal information, never reveal any full passwords, login details or account numbers until you are certain of the identity of the person making the request. Please do not click on any links you do not recognise.
  • If you think you have been a victim of fraud you should report it to Action Fraud, the UK’s national fraud and internet crime reporting centre, on 0300 123 2040.
  • We also recommend that people are vigilant against any suspicious activity on their bank accounts and contact their financial provider if they have concerns.
We take the security of your data extremely seriously and have previously announced that we have taken action to close off this access and have no evidence it is continuing. Nevertheless, we felt it was important to let customers know as soon as possible.

We continue to make improvements and investments to our security systems and we’ve been working round the clock to put this right. We’re extremely sorry about what has happened – we’ve fallen short here. We want to reassure you that we are fully committed to protecting your data so that you can be confident that it is safe with us.

Yours sincerely,

Antreas Athanassopoulos
Dixons Carphone Chief Customer Officer
Post a comment
Avatar
@
    Text

    Top Discussions