Earlier this year high street electronics firm Dixons Carphone revealed that a data breach had occurred the previous year, effecting over 1 million customers with a further 5 million card details also having been stolen. The organisation has now revealed that the breach may have affected approximately 10 million customers. In a statement released by the company, it was claimed that there is still no evidence that fraud has occurred due to the breach.
Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017. While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and there is no evidence that any fraud has resulted. We are continuing to keep the relevant authorities updated.
The data accessed was personal data of customers and while there is evidence that data left the system, data stolen did not include payment card or bank account details. Dixons Carphone Chief Executive Alex Baldock has commented:
“Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right. That’s included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today.
As a precaution, we’re now also contacting all our customers to apologise and advise on the steps they can take to protect themselves.
Again, we’re disappointed in having fallen short here, and very sorry for any distress we’ve caused our customers. I want to assure them that we remain fully committed to making their personal data safe with us.”
As with Facebook’s recent fines the Information Commissioner’s Office will be investigating what happened with the breach and taking action in due course, because of when the breach occurred any fine will be given in line with the Data Protection Act (1998).
The maximum fine for a serious breach under the Data Protection Act is £500,000.
Carphone Warehouse were fined £400,000 by the ICO for a breach that occurred in 2015.
Fines under the GDPR
The General Data Protection Regulation is European law that came into effect in May 2018. Under the updated laws, organisations have a number of responsibilities to protect data securely, data breaches can be punished in a number of ways including an undertaking or a monetary fine.
Unlike previous data protection laws, the GDPR can see fines of potentially billions given to organisations for the most major failings. The most major breaches can be punished by a fine of up to £17,000,000 or 4% of global revenues; a second fine of up to £8.5 million or 2% of global revenue can be given if an organisation fails to report a breach within 72-hours of its discovery.
Avoiding data breaches
A data breach can occur in many ways, some of the most common are hacks, data theft or data loss. It can be almost impossible to protect all systems against all threats that modern organisations face, with threats like ransomware still at large. It is vital that processes exist internally to both protect against threats like ransomware or a hack and also that processes exist to recover from such a scenario.
Limiting access to important systems, or systems that hold personal data, can help to prevent internal sources of data breaches. In addition, limiting access ensures that only trusted users can access data and makes it easier to track who accesses data and why.
Separate core systems
Many types of cyber-attack are initiated from a single point and then spread through systems, in the case of a ransomware attack this will often utilise a worm programme. By separating core systems across different networks, attacks may have less effect and may be picked up more quickly, preventing huge loss and downtime.
Implement an offsite backup
Accidental data loss can happen with relative ease and a minor system error or server failure can cause data to be lost. However, implementing a secure offsite backup can be a vital way to begin recovering data quickly and easily.
Implement a DR plan
Cyber-attacks and data breaches can have vastly differing results from minimal downtime to a total site loss. Disaster Recovery planning helps organisations prepare for the worst case and lay out a process to recover and get back to operational capacity as quickly as possible.