Dixons Carphone under fire for slow reporting of data breach

BC News confirmed reports of a second major data breach at Dixons Carphone PLC, a publicly held British electronics retailer that operates as Currys PC World and Dixons Travel. The company reportedly found anomalies in its POS network in July 2017 but took nearly a year to disclose the malicious activity. In a June 13, 2018, statement, Dixons Carphone revealed the attack may have compromised 5.9 million credit and debit cards and more than 1 million consumer accounts. Security analysts criticized the delayed disclosure and failure to protect critical infrastructure after suffering an earlier attack in 2015. Lee Munson, security researcher at Comparitech Ltd., said the Dixon Carphone breach highlights how commonplace massive data breaches have become. "What is worrying here is the delay between the breach occurring last year and the disclosure today," he said. "Thankfully, under GDPR, non-disclosure for business reasons is no longer possible as the ICO [the Information Commissioner's Office] must be informed within 72 hours whenever possible."

Munson said he expects the incident to impact Dixon Carphone share prices throughout the remediation process and suggested even a short-term dip could be fatal to the retailer. "Of more concern is the affect this could have on the chain's customers, millions of whom have had their personal or payment card information leaked," he added.

Admit culpability

Munson and other security analysts have criticized Dixons Carphone for underplaying the incident's severity by saying it found "no evidence of fraudulent payments being made with the stolen cards." Tom Miller, senior vice president at Virsec called the statement a "disturbing refrain we hear over and over." If they were blind to the breach, not seeing evidence is hardly reassuring, he noted.

"Also disturbing is the comment that 'There is no connection to the previous incident' [the 2015 breach of Carphone Warehouse]," Miller said. "Of course there's a connection – the same organization got breached, fined, didn't take adequate steps to change security, and got breached again."

Michael Magrath, director of global regulations and standards at OneSpan Inc., noted the European Union's data protection legislation, such as the GDPR, will impose heavy fines on organizations with lax data security protocols. "Organizations relying on a single shared secret to protect sensitive personal identifiable information has been very lucrative ‒ for hackers," he said. "While no security solution is 100 percent secure, in 2018 organizations not deploying risked-based authentication solutions are hoping they can dance between the raindrops when it comes to security."

Miller expressed hope the newly enforced GDPR will raise the bar for accountability but said it will take more than harsh penalties to stop data breaches. Businesses need to start "seriously rethinking how they secure sensitive customer data," he said.

Improve protections

Magrath stressed the need for organizations to adopt "multiple, layered authentication technologies," by combining PINs and passwords with biometrics and "analyzing context based on location and device characteristics."

Robert Capps, vice president of business development, NuData Security, a Mastercard company, said bad actors exploit the smallest security gaps to steal customer data. "As we all know, credit card information, combined with other user data from other breaches and social media, can build a complete profile," he said. "In the hands of fraudsters and criminals, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the internet and in the physical world."

Capps said advanced techniques and technologies can protect consumers. "Multilayered technology that thwarts fraud exists right now," he stated. "Passive biometrics and behavioral analytics technology are making stolen data valueless by verifying users based on their inherent behavior instead of relying on their data, such as credit card information. This makes it impossible for bad actors to use stolen data, as they can't replicate the customer's inherent behavior attached to that data."

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.