Cyber Incident Victim: Dixons Carphone

The Dixons Carphone data breach was discovered in June 2018 but originated from a hacking attempt that began in July 2017. Attackers targeted payment processing systems at Currys PC World and Dixons Travel stores, compromising records of 5.9 million payment cards and accessing 1.2 million personal data records. Of the affected payment cards, 5.8 million were subject to attempted compromise, with only 105,000 non-chip-and-pin protected cards (all non-European) confirmed to have been successfully exfiltrated. The personal data records contained non-financial information including customer names, addresses, and email addresses. The company stated it found no evidence that personal data had left its systems or resulted in fraudulent activity. Dixons Carphone publicly disclosed the breach one week after discovering it during their investigation, nearly eleven months after the initial intrusion occurred.

The breach caused Dixons Carphone shares to drop over 3% following disclosure. The UK National Cyber Security Centre collaborated with the company to assess impacts on UK citizens and develop mitigation measures. This incident drew scrutiny from the Information Commissioner's Office (ICO), which had previously fined Carphone Warehouse £400,000 for a 2015 data breach, though Dixons maintained no connection between the events. As the breach predated GDPR implementation, the company avoided potential larger fines under the new regulations. Chief Executive Alex Baldock publicly apologized, acknowledging security failures while emphasizing no fraud evidence had been detected. The company engaged cybersecurity experts, implemented additional protective measures, and notified affected customers despite asserting no confirmed data misuse. This breach ranked among the largest reported by a UK company at the time, though officials advised customers that absence of direct notification indicated likely non-involvement.