Dixons Carphone has admitted a huge data breach involving 5.9 million payment cards and 1.2 million personal data records.

It is investigating the hacking attempt, which began in July last year.

Dixons Carphone said it had no evidence that any of the cards had been used fraudulently following the breach.

There was “an attempt to compromise” 5.8 million credit and debit cards but only 105,000 cards without chip-and-pin protection had been leaked, it said.

The hackers had tried to gain access to one of the processing systems of Currys PC World and Dixons Travel stores, the firm said.

Dixons Carphone shares fell more than 3% in early trading.

dixons data security breach

Analysis by BBC technology correspondent Rory Cellan-Jones
On the face of it, this is a very serious incident.

Usually when companies report a data breach they are very quick to reassure us that while names, email addresses and login may have been accessed, no payment information has been released.

This is not the case here with Dixons admitting that hackers got access to records of nearly six million payment cards.

The good news is that nearly all of them were protected by good old chip and pin – and there is no evidence of any fraud relating to the 100,000 non European cards which didn’t have that protection.

But there are still questions for Dixons Carphone to answer.

Why has a hack that apparently happened nearly a year ago only been revealed now?

And is there any connection to a previous data breach at Carphone in 2015?

Dixons insists that it only discovered this latest hack a week ago and it has no connection with any previous incident.

But the UK Information Commissioner’s Office (ICO) which fined Carphone Warehouse £500,000 for the 2015 breach will now be looking very closely at this latest failing of the merged companies.

Luckily for Dixons, the incident happened before the new GDPR rules, which promise much bigger fines, came into force.

The 1.2 million personal data records accessed by the hackers consisted of non-financial information such as names, addresses and email addresses. The spokesman also stated that “Anyone concerned about lost data and how it may be used should follow the advice of Action Fraud.

Carphone Warehouse said it had no evidence that the information had left its systems or resulted in any fraud, but it was contacting those affected to advise them.

It added that it had brought in leading cyber-experts and added extra security measures to its systems.

Dixons Carphone chief executive Alex Baldock said it was “extremely disappointed” by the data breach and “sorry for any upset”,

“The protection of our data has to be at the heart of our business, and we’ve fallen short here.

“We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously,” he added.

Tough challenges

Bryan Glick, editor in chief of Computer Weekly, told the BBC that the breach was “right up there” as one of the biggest to date involving a UK company.

However, he cautioned against any panic. “If you’ve not heard from Dixons Carphone to warn you, the chances are you’re OK,” he said.

It is the second hack the company has been forced to admit publicly in the past three years after it was targeted in 2015.

Alex Neill, managing director of home products and services at the consumer group Which?, said: “This massive breach will cause real worry to millions of customers and raises serious questions about how Dixons Carphone has been looking after customers’ data – so it is critical that the company moves quickly to ensure those affected get clear information about what has happened and what steps they should take to protect themselves.

“Data breaches are becoming more and more common, but consumers lack the powers they need to ensure companies are held to account.

“That is why the Government should give independent bodies the power to seek collective redress on behalf of affected customers when a company has failed to meet its data protection obligations.

“Anyone concerned they could be at risk of fraud should consider changing their online passwords, monitor bank and other online accounts and be wary of emails regarding the breach as scammers may try and take advantage of it.”

If you are a business which has been effected, contact Citadel Cyber Security for advice