Dixons Carphone (“DC”) is investigating a hacking attempt which involved almost six million credit and debit cards and over a million customer data records. The incident could be the first significant data breach to be investigated by the Information Commissioner’s Office (“ICO”) under the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018. The company is in the embarrassing position of having to admit a significant data breach has occurred for the second time in three years and just weeks after the new data protection laws came into force last month.
According to DC the breach was discovered last week, but the hack itself began in July 2017, involving 5.9m payment cards and 1.2m non-financial personal data records (such as name, address or email address). DC also confirmed that only 105,000 non-EU issued payment cards affected did not have chip and pin protection.
The outcome of the ICO investigation and subsequent action will be keenly watched especially if the breach is deemed to have taken place after the GDPR compliance deadline of 25 May 2018. Ambiguity arises because the breach occurred or commenced in pre-GDPR times (July 2017) when the Data Protection Act 1998 was in force. If the incident is deemed to be subject to GDPR rules, the ICO could potentially fine DC up to 4% of its annual global revenue. Last year the group reported total sales of £10.5 billion and a fine under GDPR may potentially be a figure worth hundreds of millions of pounds. Under the Data Protection Act 1998 the maximum fine would be significantly less.
The ICO are playing their cards close to their chest, saying: “It is early in the investigation. We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Act.”
Britain’s National Crime Agency (“NCA”) said it was heading a criminal investigation into the hack, working with the National Cyber Security Centre, the Financial Conduct Authority and the ICO. Mike Hulett, the NCA’s head of operations said: “The complexity of these inquiries means this is an investigation which will take time.”
The incident reflects a long-term complacency around cybersecurity issues for many companies, despite the introduction of GDPR earlier this year. This data breach is the first such heavily publicised breach in the UK since the GDPR and Data Protection Act 2018 have come into force – there will undoubtedly be many more. It could well undermine consumer confidence in DC whose share price fell 3.1% after disclosure of the breach. Some companies (such as DC) are always going to be a rich source of credit card and personal information for cyber criminals. Though DC has said there is no evidence of fraud occurring, as the data is now in the hands of cyber criminals it clearly leaves the victims of this breach exposed to potential phishing attacks.