Dixons Carphone reveals data breach affecting 5.9 million customers

The news that broke today. Dixons Carphone has revealed a major breach of data involving unauthorised access to 5.9 million customers cards and 1.2 million personal records.


Please see below for commentary from cybersecurity experts.

David Rushmer, senior threat researcher at Cylance:

“The majority of organisations operate under the security vs. usability paradigm that suggests a trade-off between the two; increased security decreases usability and vice versa. Equally data storage methods are pretty varied. One organisation may choose to store it internally where as others opt to use a 3rd party.

In order to protect customer data, the best option for organisations currently is to adopt ‘Privacy By Design’ where systems are built from the ground up with privacy, and thereby data protection, as the focal point. While there are arguments that it might not work or it will decrease usability, it is currently the best solution available to protecting data.

Any organisation moving forward has to inform you what they are doing with your data. The best thing any consumer can do is read and understand what data they are sharing, what the organisation intends to do with it and where it is being held. Furthermore, any consumer, certainly within the EU, should read up on what the GDPR means and what rights it offers them.”

Adam Brown, manager of security solutions at Synopsys:

“Data is everywhere and it can be very difficult to keep track of sensitive data as it traverses an organisation. It can pass through insecure channels unintentionally, be subject to risky processes or end up in a quiet enclave / disused system forgotten for years, as we saw with Carphone Warehouse.

Credit card data these days is well protected due to the prescriptive requirements of the PCI council, however that in itself can be an issue. Prescriptive approaches inspire checkbox mentalities. To protect data, a data centric approach would maintain focus on our most critical data assets in an organisation.

No one thing can fix problems like these. In reality, data security needs to be a boardroom subject. Direction from the top is the most effective way to set up a deliberate and purposeful security initiative. Successful manifestations of this have a software security group with clear direction, underpinned by a satellite team. Synopsys has observed that effective programmes have 1.6 software security group members per 100 developers.

As for consumers, they can only be vigilant for fraudulent transactions if they have had dealings with any of the affected group companies. 5.9 million cards is a very serious heist when considering the £10bn turnover of Dixons Carphone, especially when compared to the largest breach yet at Target ($71bn turnover) which saw 70 million cards breached.”