From 1.2M to 10M, Dixons Carphone Admitted a Bigger Data Breach

In a public press release, Dixons Carphone, a mainstream European electrical and telecom retailer/services firm, announced that it became a victim of a security breach way back in 2017, the incident exposed 10 million customer records. The number is more than eight times than the initially reported figure of 1.2 million records from the company earlier. As the data breach happened earlier than May 25, 2018, GDPR ruling does not apply to the incident, making Dixons Carphone, not at risk of paying a heavy penalty under the new EU law.

Alex Baldock, the CEO of Dixons Carphone explained: “Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right. That’s included closing off the unauthorized access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today. As a precaution, we’re now also contacting all our customers to apologize and advise on the steps they can take to protect themselves.”

For her part, Enza Iannopollo, a security analyst from Forrester has emphasized Dixons Carphone has a huge obligation at their end for damage control: “They are clearly concerned about regulatory enforcement but they seem completely unprepared to handle customer reactions. With privacy and security awareness increasing exponentially, it will not be long before we see customer churn, reputational damage, and a further decrease in the value of the business as a result of such a poor response to a very large breach.”

Iannapollo has expressed doubts about the effectiveness of data protection laws, as corporations seem more worried about government imposed penalties instead of losing customer trust due to security incidents. “It’s interesting the point about regulatory enforcement — I remember working with a number of banks and actually they were very worried about enforcement action. You don’t want a regulator to impose on you a specific process to handle data. You don’t want a regulator to impose on you a limitation on some processing activities. And they understand that the effect of such an enforcement action can probably be even more detrimental than a fine in some ways,” Iannapollo said.

She advised the company leaders to concentrate in caring for the customers above everything else, as Dixons Carphone seems to be unremorseful of the incident and their only focus is damage control in the name of a lighter penalty. “Probably the biggest push to GDPR enforcement is coming from customers themselves, both end users and business customers. I saw a lot of emphasis around whether the breach happened before GDPR — so hoping that there was not this standard. And also there was something else that was said about ‘there is no evidence that our customers suffered any financial loss’ as a result of the breach. And again it’s interesting because until a few days ago they didn’t even know the breadth of the breach and now they are saying there wasn’t a financial loss so we’re not prepared to provide compensation. This is not exactly what we see as a constructive way to tackle the breach and help your customers figure out how they can be safe even if you lost their data,” Innapollo added.

Baldock assured customers that all possible actions to correct the problem which enabled unauthorized individuals in penetrating their systems are now in-place. “Again, we’re disappointed in having fallen short here, and very sorry for any distress we’ve caused our customers. I want to assure them that we remain fully committed to making their personal data safe with us,” stressed Baldock.

“All they did was to say that we don’t have any evidence of financial losses so we are not ready to compensate. Are you really taking care of your customers in this instance? Are you really showing that there is a commitment to make sure that they still feel that you are responsible for their data, doing your best to protect this data? I don’t think so. The executive team were involved but I don’t think they were doing really a good job from their customer sentiment and customer trust point of view,” Innapollo concluded.