Dixons Carphone is investigating a breach involving millions of customer payment cards and personal data records. The firm has revealed details of an attempt by hackers to gain access to one of the processing systems in July 2017. The processing system in question contained details of 5.9m payment cards. Dixons Carphone said there was no evidence of fraud as a result of the incident and added that it was working with leading cybersecurity experts to examine and strengthen its systems.
The cybersecurity community had plenty to say on the breach.
David Rushmer, senior threat researcher at Cylance
“The majority of organisations operate under the security vs. usability paradigm that suggests a tradeoff between the two; increased security decreases usability and vice versa. Equally data storage methods are pretty varied. One organisation may choose to store it internally where as others opt to use a 3rd party.
In order to protect customer data, the best option for organisations currently is to adopt ‘Privacy By Design’ where systems are built from the ground up with privacy, and thereby data protection, as the focal point. While there are arguments that it might not work or it will decrease usability, it is currently the best solution available to protecting data.
Any organisation moving forward has to inform you what they are doing with your data. The best thing any consumer can do is read and understand what data they are sharing, what the organisation intends to do with it and where it is being held. Furthermore, any consumer, certainly within the EU, should read up on what the GDPR means and what rights it offers them.”
Patrick Hunter, director at One Identity
“Another High Street business has been targeted and successfully hacked. Retail companies are always going to be a good source of credit card and personal information as companies, like Dixons, collect a lot of customers. The first major example of this was the Target breach in the US and this caused a massive amount of negative news for Target themselves but it should also have been a warning.
All companies in the EU have a duty to have maximum data privacy by default and, although this breach was last year, they should have been better prepared to meet the exacting standards of the current iteration of GDPR. Dixons haven’t said that the data lost was encrypted for example – a simple measure that would have protected their customers’ data.
There is no information on how the breach was made but they stated that they are now working with experts to better protect themselves from a further attacks. Yet again, the customer data has been on the balance with ‘cost to protect’ on the other side of the scale. Risk – were they betting on not being attacked or did they genuinely believe that they had best security practices in place? We can certainly suspect that there are companies out there that are doing just that, they are hoping their networks are not attacked. This is no longer good enough.
Simple measures can be put in place to mitigate these breaches. Two factor authentication is a relatively simple way of restricting access to resources and can be a cost effect solution. We don’t know how Dixons was breached, whether internal or external, it doesn’t matter. You can protect the data by locking away the passwords needed to access it and automatically change them regularly. In order to get that password, you need permission from someone else in a position to make that decision. This can be further enhanced by limiting the access employees have in general; understand what they can and cannot do, not should or maybe. Any organisation that holds our data has to do more than hope they won’t be the next breach in the news.”
Robert Capps, VP at NuData Security, a Mastercard company:
“As we all know, credit card information, combined with other user data from other breaches and social media, can build a complete profile. In the hands of fraudsters and criminals, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the internet and in the physical world.
Bad actors keep taking advantage of the smallest gap to steal customer data. For this reason, we must change the current equation of “breach = fraud” by changing how companies think about online identity verification. Companies need to protect all customer data, but more importantly, they need to make it valueless.
“Multi-layered technology that thwarts fraud exists right now. Passive biometrics and behavioural analytics technology are making stolen data valueless by verifying users based on their inherent behaviour instead of relying on their data, such as credit card information. This makes it impossible for bad actors to use stolen data, as they can’t replicate the customer’s inherent behaviour attached to that data.
The balance of power will return to customer protection when more companies implement such techniques and technology.”
Andrew Clarke, EMEA director, One Identity
“With the revelation this morning from Dixons Carphone that last year (2017) they were hit by a data loss event – 5.9 million customer bank card details and 1.2 million (non-financial) personal data records – we see an immediate impact on the financial status of the company, with the news immediately sending shares down 5%. The discovery as a result of pro-active business reviews of systems and data, will raise the inevitable questions on what went wrong but in the current climate no one is surprised at this type of incident. The impact of the data loss is lessened since of the 5.9 million cards – 5.8 million have chip and pin protection leaving approx. 105,000 non-EU issued payment cards without chip and pin protection that have been compromised. This illustrates the strength of this security measure to mitigate risk. Further the company confirmed that they are taking steps to remedy; having promptly launched an investigation, engaged leading cyber security experts, added extra security measures to systems and communicating directly with those affected – as well as informing the relevant authorities including the Information Commissioner’s Office (ICO).
The company has seen this type of incident occur before though. A prior cyber-attack incident in 2015, affected Carphone Warehouse – now part of this business – resulted in a fine of £400,000 from the ICO. On that occasion, the company’s failure to secure the system allowed unauthorised access to the personal data of over three million customers and 1,000 employees. The ICO identified multiple inadequacies in Carphone Warehouse’s approach to data security and determined that the company had failed to take adequate steps to protect the personal information. Using valid login credentials, intruders were able to access the system by out-of-date WordPress software. The incident also exposed inadequacies in the organisation’s technical security measures. Key parts of the software in use on the systems affected were out of date and the company failed to carry out routine security testing. There were also inadequate measures in place to identify and purge historic data.
This type of incident re-emphasizes the importance of continual security review – to ensure that vulnerabilities are isolated and removed – and also to ensure access to systems is effectively managed and controlled. All it takes is for one accessible administrative account available to privileged users to be identified and then used in a malicious manner. It also reasserts the need to have a strong discipline on data governance and ensure that only the right people get access to the right information at the right time.”
Lee Munson, security researcher at Comparitech
“The breach at Dixons Carphone highlights, yet again, how common attempts at exfiltrating personal data and payment card information have become.
What is worrying here is the delay between the breach occurring last year and the disclosure today. Whether or not that was down to the company not being aware until now is unclear. Thankfully, under GDPR, non-disclosure for business reasons is no longer possible as the ICO must be informed within 72 hours whenever possible.
Whatever the case, a breach of this size is likely to affect Dixons Carphone at a time when it is ill-prepared for the consequences. Typically, a business will see its share price fall on the back of a breach before recovering in the longer-term. In this instance, the fragility of the company may mean that the short-term dip will prove to be fatal.
Of more concern is the affect this could have on the chain’s customers, millions of whom have had their personal or payment card information leaked.
Dixons Carphone says there is no evidence of fraudulent payments being made with the stolen cards but affected customers would be well advised to keep an eye on their bank and credit card statements in case of rogue payments being taken.
Where personal information has been swiped, victims should be doing the same while also keeping a keen eye on their credit reports, in case of identity theft.”
James Hadley, CEO & Founder of Immersive Labs
“Cyber criminals continue to develop and carry out sophisticated attacks on the retail sector where personal data and payment information are often transmitted and stored in unsecure ways. Companies, including the retail sector need to ensure they have both technical solutions and skilled technical staff to reduce risks to acceptable levels.”
Andy Norton, director of threat intelligence at Lastline
“This is not the first time Dixons has been breached; They just paid a £400,000 fine for a 2015 breach of subsidiary company Carphone Warehouse. This will be an interesting precedent, as the the breach occurred pre-GDPR enforcement date, but the impact to victims will happen post-GDPR enforcement date. It will also be a dilemma for the ICO office, who has shown a preference not to impose large GDPR like fines. However, this is now the second occurrence and the ICO office will not want to be seen as being tolerant of data breaches.”
Itsik Mantin, lead scientist at Imperva
“Modern businesses rely on data more than ever to carry out their operations, but the value of data comes with a growing business risk.
Dixons was “lucky” to have had the breach before the GDPR regulation became effective, and the impact of the breach on their business was limited to 5.5% fall in the share price.
Had the breach happened later than May 25, and if found guilty of not taking proper measures to protect their users’ data, they could have suffered the higher barrier of the GDPR’s monstrous fines.”
Adam Brown, manager of security solutions at Synopsys
“Data is everywhere and it can be very difficult to keep track of sensitive data as it traverses an organisation. It can pass through insecure channels unintentionally, be subject to risky processes or end up in a quiet enclave / disused system forgotten for years, as we saw with Carphone Warehouse.
Credit card data these days is well protected due to the prescriptive requirements of the PCI council, however that in itself can be an issue. Prescriptive approaches inspire checkbox mentalities. To protect data, a data centric approach would maintain focus on our most critical data assets in an organisation.
No one thing can fix problems like these. In reality, data security needs to be a boardroom subject. Direction from the top is the most effective way to set up a deliberate and purposeful security initiative. Successful manifestations of this have a software security group with clear direction, underpinned by a satellite team. Synopsys has observed that effective programmes have 1.6 software security group members per 100 developers.
As for consumers, they can only be vigilant for fraudulent transactions if they have had dealings with any of the affected group companies. 5.9 million cards is a very serious heist when considering the £10bn turnover of Dixons Carphone, especially when compared to the largest breach yet at Target ($71bn turnover) which saw 70 million cards breached.”
Javvad Malik, security advocate at AlienVault:
“Details are still emerging on the latest breach in which it appears as if many personal records were compromised.
It appears as if the breach occurred prior to GDPR coming into force, which may prevent the ICO from imposing GDPR standards. But it is concerning that it appears to have taken many months before the breach was in fact detected by the company.
Breaches can be considered a cost of digital business. It shouldn’t come as a surprise when attackers try to access a system. However, threat detection controls should be in place that can at least detect when an attack does occur so that the appropriate remedial actions can be taken.
In this day and age, for large companies that hold millions of customer records, waiting months before a breach is even detected should not be acceptable.”
Paul Edon, Technical Director (EMEA) at Tripwire:
Victims of the Dixons Carphone data breach should immediately change elements of their account security, such as passwords, as the moments after a data breach are when victims are most vulnerable.
Even though Dixons Carphone released a statement saying that there is ‘no evidence of cards being used fraudulently following the breach’, it is imperative that individuals continually monitor their bank accounts and report any signs of identity theft or fraudulent activity to their banks.
Financial information is a high commodity on the dark web and so it will be highly targeted by criminals. Most organisations understand the importance of having the appropriate security solutions in place but unfortunately, their ability or willingness to invest in the correlation and active monitoring of the output from these solutions reduces their ability to recognise the initial and ongoing security incidents that would otherwise alert them in a more timely manner to the potential breach.
Dr Guy Bunker, SVP of Products at Clearswift
“This breach shows how difficult it can be to get a breach under control. Dixons Carphone has been fined for security incidents in the past and either the clean-up wasn’t thorough enough, or there remained holes in their security which haven’t been fixed. Either way, the outcome is the same, repeat breaches.
As with any breach, there is only evidence where there is evidence, and sophisticated cyber-attackers can remove traces, often leaving behind only that which they want found in order to cover up other actions they have taken.
When it comes to fraud, it is difficult to prove whether this is the source or not and the impact of losing this data can have a long term impact. While a credit card can be easily cancelled and replaced, addresses and email addresses will remain unchanged for days, weeks, months, years. Email addresses when coupled with other personal information like a name and address is fodder for phishing. As with any breach made public, phishing scams will run riot asking people whether they were customers and to register information, etc. The advice here is to watch out for such emails and ignore them, if you are concerned then call a known number, not necessarily one you get through email.
In addition to the reputational damage that comes with a data breach where payment information has been leaked, GDPR enforcements will also have a huge impact on Dixons Carphone. As well as having to compensate those who have had their sensitive information leaked, the organisation may have a fine of up to 4% of their global annual turnover. For a company this size, this could be in the millions and has the potential to impact the future profitability of the organisation.”
André Stewart, VP EMEA at Netskope
“The Dixons Carphone breach underlines once again the simple fact that data, especially personal data, is a commodity for cybercriminals, offering high ROI with little effort exerted in time or resource. Such breaches continue to recur because businesses are still rooted in legacy and traditional security practices that fail to fully protect them and their data. Organisations will continue to fall short of the mark in protecting themselves unless they change their security approach. The onus is on enterprises to look at their practices, implement intelligent controls, remove blind spots and close the gaps that criminals are looking to exploit.
What’s most surprising is just how long it’s taken this breach to be discovered. During that time, it’s likely that any data harvested has been sold on and exploited. With GDPR in effect, such a time lag is no longer acceptable so the immediacy of reporting breaches will be under increased scrutiny. ”
David Warburton, Security Specialist at F5 Networks
“Organisations must act as responsible stewards of data, respect the wishes of customers, and provide transparency at every juncture. Citizens have regained control of their personal data with the GDPR and businesses must respect that the transactional relationship with customers has significantly changed. Advanced app security, efficient database management, and the harvesting of customer information with compliance are now prerequisites for being in business today.
Those organisations that adhere to best practice, including full visibility into normal traffic patterns and breaches, will keep pace with the fast-moving digital generation. Those that have not done their due diligence will find themselves not just at the mercy of the law but will suffer the discontent of customers and the loss of trust.”
James Maude, lead security engineer at Avecto
“Although this appears to be another high-level breach, the early indicators are not all bad – with the company identifying the breach and having a good handle on the impact and number of records involved. This is a significant improvement from previous breach notifications from other organisations where details were scarce and the impact unknown. It also appears that none of the data has been used so far for fraudulent purposes, which would indicate that the breach was caught in the early stages.
Even though this breach amounted to 5.9 million card details and 1.2 million user records being compromised, the widespread use of chip and pin technology mitigates the risk of simple card cloning. However, it may be worth noting that customers from outside the UK may not be as well protected.
Despite the fact that this occurred before the introduction of GDPR, we can only hope that a breach of this magnitude will force the markets and other large organisations sit up and pay attention. The impact on the share price is a lasting reinforcement of the financial and reputation damages that companies face following a breach.
In the meantime, businesses need to be as proactive as possible when it comes to assessing security risks and weaknesses within their own systems and supply chain. For many organisations, it only takes one privileged admin account to be targeted by a phishing attack or one key system to not be patched for an attacker to gain entry and expose all the data they hold. We need to start thinking about reducing risk and layering defences to prevent these shortcuts from being compromised.”
Leigh-Anne Galloway, Cybersecurity Resilience Lead, Positive Technologies
“Obviously details are thin on the ground about precisely what happened right now and that means there are more questions than answers. The main question is how are they storing/transmitting this information? The answer to that will be key in determining what went on and how they are going to sort it out.
Saying ‘don’t worry, most of the payment cards were chip & pin’ is also a big concern and suggests a lack of knowledge about how these cards work and the risks. You can extract track two equivalent – data from the magnetic stripe – from chip & pin and write this to the magnetic stripe of a plain card, then make a transaction with that. It’s always worth noting that if an attacker physically gets hold of a card they can bypass pin input or intercept the pin in offline mode (for certain types of chip). Anyone who thinks their details may have been included – or who gets told they are by Dixons Carphone – should keep a watchful eye on their bank accounts and potentially request a replacement card from their bank.”
Peter Carlisle, VP EMEA, Thales eSecurity
“Cyber criminals are getting smarter, better and faster, with this latest breach adding to a much longer list of previously targeted organisations. This has made trying to protect customer data an exhausting process, as sophisticated and well-funded hackers adapt quickly to new security measures.
In the best effort to fight cybercrime head on, businesses need to take data security into their own hands, using a combination of preventative – not reactive – processes to throw hackers off track. Once organisations know exactly where their data resides, they need to determine what is worth defending and adopt an encrypt-everything approach. Through layering protection methods, enterprises can easily control data wherever it sits in their business and successfully strengthen their security posture.
With the GDPR in full force, it’s no longer just a lack of customer trust and a tarnished reputation organisations need to be worried about, but also the risk of losing €20 million or 4 per cent of annual revenue, whichever happens to be greater. A significant amount of money to lose for any business, now the perils of a data breach just got a lot more serious.”
Paul Cant, VP EMEA, BMC Software
“With the inordinate quantity of bytes of data continuing to grow at an exponential rate, it is unsurprising that data breaches are now commonplace in the world of technology – but this is still not an excuse for them. And with the GDPR now in full force, organisations simply cannot afford to leave cybersecurity as a fleeting afterthought.
Only by relentlessly examining internal processes can companies discover how their systems storing data are configured, how they’re connected, where any vulnerabilities sit and then piece together a plan to remediate those vulnerabilities and correct them – keeping the personal data of their customers secure.”
Andrew Lloyd, president, Corero Network Security
“This is not the first attack against the high street retailer – it was previously victim to one of the best-known DDoS attacks in 2015 and in January this year was fined £400k by the ICO after exposing the details of millions of its customers. With GDPR now in full force the timing could not be worse for Dixons Carphone.
Whether this breach was caused by another DDoS or other cyber-attack, this disclosure should serve as a wake-up call to directors of every enterprise who are either in denial or are ignorant of the risks that they’re facing. The same old cyber-defences have been proven to be inadequate. The adoption of proactive, real-time defence solutions is critical to ensuring that enterprises are adequately protected, enabling them to stay open for business during a cyber-attack, minimising the risk of any data breach, resulting in regulatory fines and/or public confidence erosion.”
Eyal Benishti, CEO and Founder, of IRONSCALES
“When we see any data breach, it’s the organisation’s customers that are put in the firing line having had their information disclosed to criminals. In the coming days and months, now that this breach has become public knowledge, it’s likely that we will see a major uptick in criminals looking to capitalise on this breach, even if they weren’t the original hackers, by sending scam messages to consumers hoping to trick one or two into believing the malicious communication and being tricked into giving away even more information.
Things to look out for will be messages purporting to be from Dixons Carphone offering free credit monitoring services by clicking links which instead will give away even more personal information to the fraudsters. As payment card data has been affected, we might even see criminals trying to spoof users’ banks in a bid to get users to disclose the three CVV numbers from the back of cards in the hope of getting this information to complete the user’s card record, messages might encourage them to apply for a new card or even persuade them to download a malicious program in the guise of monitoring software purported to help protect them.
Another avenue criminals will almost certainly look to exploit is social media with angler phishing scams. In these instances, criminals will create fake social accounts that mimic an affected brand – in this case Dixons Carphone, and when a consumer airs their grievances or looks for support by tagging the real account profile, the scammer will intercept the communication and contact the user to offer ‘help and reassurance’ in a bid to lure them to a phishing site or call a fake helpline etc.
Vigilance will be key in the coming days and months and if anything arrives into a user’s mailbox, they receive an SMS message, or are contacted by a social media profile, it’s imperative these interactions are viewed with caution and the messages scrutinised. If in any doubt, check it with the sending organisation before clicking any links, downloading any software, or calling any of the numbers offered.”
Martin Jartelius, CSO at Outpost24:
Data protection is complex and a constant balance between ensuring that data is accessible for legitimate reasons at the time of need, while attempting to restrict and limit access to unauthorized sources. System integrations are great for customer experiences but inevitably expands the attack surface, and attackers understanding of modern solutions and development of offensive techniques also evolve.
In this case, Dixons is taking the responsible path by reporting the potential breach rather than attempting to unlawfully hide this information until they know more about what has been affected, but the report inevitably creates fear and casts a shadow over their business. The good thing is Dixons has reported the personal data breach, informed potentially affected clients as well as initiated an investigation – the outcome is yet to be confirmed, and it will be of interest to many organizations.
Organizations who wish to protect data need to ensure that security basics are built into their operations – know what systems you have on your networks, what is running on them, harden and deploy consistently, audit this via modern vulnerability management solutions, and manage administrative credentials with care. Understanding the weak points and implementing a restrictive setup to limit the security exposures are just the start, there is plenty more to be done, but those rather simple steps will get you the highest return with the least effort.
Consumers who have been informed that they may be affected should review their card statements for any unexpected or unusual activity. As this breach concerns credit cards, PCI guidelines will be applied, and if cards are confirmed as affected, be expected to receive a replacement. But common sense and a healthy insight into your financial transactions is the best way to spot inconsistencies and limit loss.