Dixons Carphone Data Breach – A Costly Case of “Head in the Sand”

Lorna Fimia

Tut Tut! The Dixons Carphone group has been hit by another potentially devastating cyber attack. This time around, millions of credit card numbers and data records are involved. It couldn’t get much worse really.

Back in 2015 activereach was campaigning for businesses to get their heads out of the sand – and recognise the very real risk of DDoS, ransomware and web application attacks. We even donned Ostrich suits to get the message across to a bemused audience at Infosecurity Europe!

So what lessons have been learned since the Carphone Warehouse breach in 2015, if any? Or do we need to dust off those Ostrich suits again?

Serious Vulnerabilities, Serious Hacks

In January of this year, Carphone Warehouse (part of the Dixons Carphone group) received one of the largest monetary penalties ever issued by the Information Commissioner in relation to a hack in 2015 which saw the exfiltration of over 3.3m customer records – to the tune of £400,000.  And rightly so – the ICO discovered that none of the servers had antivirus software installed, and all shared the same administrator password (known to over 30 staff members). Their e-commerce and websites had not been patched for six years and no Web Application Firewall (WAF) was installed.   Moreover, encryption keys for the databases were stored in plain text and no one could explain why the databases held such a large volume of historic customer data in the first place.

In short, they were far from adopting best practice. In the ICO’s report on that incident, Carphone Warehouse was criticised for its “multiple inadequacies” when it came to information security and its failure to take adequate steps to protect customers’ personal information.

Head in the Sand?

Rolling on to the present day breach, has anything really changed?

Dixons Carphone said in a statement that “a review of its internal systems had uncovered a security breach at one of the processing systems used by Currys PC World and Dixons Travel stores.”

According to reports, the breach could have occurred as far back as 2016. What is worrying here is the delay between the breach occurring last year and the disclosure. Whether or not that was down to the company not being aware until now is yet to be ascertained. Thankfully, under GDPR, non-disclosure for business reasons is no longer possible as the Information Commissioners Office must be informed within 72 hours whenever possible.

The breach is particularly serious as it extends to the exposure of users’ credit card information, not just personal data (such as names, email addresses, or even passwords). Almost six million payment card details have ended up in the hands of hackers. On a more “positive note” (!) Dixons Carphone has retorted that the majority of the breached cards have chip and pin protection.

Whilst technical details of the latest breach have yet to emerge, a look through the 2016-17 Dixons Carphone annual report suggests that the group has a very long way to go.

The term ‘cybersecurity’ made the boardroom agenda just once – and even then only appeared as a footnote to a wider topic on IT infrastructure. Yes, it’s a severe case of head in the sand, I’m afraid.

Chief Executive Alex Baldock has renewed his pledge to significantly increase spending on technology and IT systems following the latest attack, but this has been the Dixons mantra for many years back.

With the recent breach he has gone public on the group’s failings, stating:

“We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business and we’ve fallen short here.

“We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.”

Too Many Ostriches Still at Large – The Cost is Big

Customer data protection needs to be at the top of every boardroom agenda. As a business on the sharp end of cybersecurity, we can testify that the retail sector, in particular, is facing increasingly sophisticated cyber attacks. Preventative measures need to be proportionate to the risk – and need to continually evolve at a pace in keeping with the threat actors. And then these measures need to be tested and reviewed – an element that is often neglected.

From DDoS and web application attacks to ransomware and phishing, organisations must wake up to the fact that the cyber-danger is real. With GDPR legislation now in play, it has never been more critical that customer information is robustly safeguarded. Under the previous Data Protection Act rules, the maximum fine imposed would be £500,000. Under the GDPR rules, firms could face a maximum of €20m (£17.6m) or 4% of global turnover, whichever is the greater. On balance, I’d rather invest in an effective cybersecurity approach!

So the real question is: how many more retailers have taken the ‘head in the sand’ approach like Dixon’s Carphone? I fear there are a few more ostrich eggs waiting to hatch out there…

activereach provides professional services and solutions in the area of the cybersecurity – working across the technology marketplace with a vendor-neutral approach. If you are a retail organisation, and would like to discuss best practice for securing your web assets, web apps and servers – please get in touch by calling activereach on 0845 625 9025.