Dixons Breach Results in 5.9 Million Payment Cards Compromised

Dixons Carphone has admitted a huge data breach involving 5.9 million payment cards and 1.2 million personal data records. It is investigating the hacking attempt, which happened last year.


Commenting on this news is Patrick Hunter, EMEA Director at One Identity:

“Another High Street business has been targeted and successfully hacked.  Retail companies are always going to be a good source of credit card and personal information as companies, like Dixons, collect a lot of customers.  The first major example of this was the Target breach in the US and this caused a massive amount of negative news for Target themselves but it should also have been a warning.

All companies in the EU have a duty to have maximum data privacy by default and, although this breach was last year, they should have been better prepared to meet the exacting standards of the current iteration of GDPR.  Dixons haven’t said that the data lost was encrypted for example – a simple measure that would have protected their customers’ data.

There is no information on how the breach was made but they stated that they are now working with experts to better protect themselves from a further attacks.  Yet again, the customer data has been on the balance with ‘cost to protect’ on the other side of the scale.  Risk – were they betting on not being attacked or did they genuinely believe that they had best security practices in place?  We can certainly suspect that there are companies out there that are doing just that, they are hoping their networks are not attacked.  This is no longer good enough.

Simple measures can be put in place to mitigate these breaches.  Two factor authentication is a relatively simple way of restricting access to resources and can be a cost effect solution.  We don’t know how Dixons was breached, whether internal or external, it doesn’t matter.  You can protect the data by locking away the passwords needed to access it and automatically change them regularly.  In order to get that password, you need permission from someone else in a position to make that decision.  This can be further enhanced by limiting the access employees have in general; understand what they can and cannot do, not should or maybe.  Any organisation that holds our data has to do more than hope they won’t be the next breach in the news.”