The owner of Dixons and Carphone Warehouse today revealed hackers grabbed the details of 5.9million customers cards and 1.2million personal records.
The major data breach involved shoppers at Currys PC World and Dixons Travel but bosses insist there is no sign of any related fraud.
Access was also gained to non-financial personal data, such as addresses, names and email information.
It comes just months after the company was fined £400,000 for a 2015 cyber attack which exposed the personal data of more than three million customers.
Retailer Dixons Carphone has become the latest victim of a cyber attack after revealing 5.9 million customer bank card details and 1.2 million personal data records were hacked
The retailer said there was a likely attempt to compromise millions of cards in a processing system for Currys PC World and Dixons Travel stores.
The retailer said 5.9million of the payment cards targeted were protected by chip and Pin, but that around 105,000 non-EU cards without chip and Pin protection were compromised.
The company is urging customers to take protective measures, but said there is no evidence of fraud on the cards at this stage.
It said the data accessed did not contain Pin codes, card verification values (CVV) or any authentication data allowing cardholder identification or a purchase to be made.
The group added it did not believe the personal data accessed had left the group’s systems.
The hack could lead to the company becoming the latest to be fined by the information commissioner, after Yahoo were fined £250,000 over a breach involving 500,000 UK customers and TalkTalk were hit with a £400,000 after 150,000 customers’ details were accessed.
Dixons Carphone chief executive Alex Baldock said: ‘We are extremely disappointed and sorry for any upset this may cause.
‘The protection of our data has to be at the heart of our business, and we’ve fallen short here.
‘We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.’
The breach included details of 5.9 million payment cards and 1.2 million personal data records
Simon McCalla, of Nominet, which is responsible for the security of UK domain names, said the timing of the breach is all the worse considering the recently brought in rules on data protection.
He said: ‘It’s also alarming to see how long it took the company to respond to the breach, which allegedly began in July last year.
‘As we’re now nearly a year on, something clearly went wrong. With GDPR now in place, businesses need to tighten up their processes and ensure they have a plan in place to prevent these breaches, or risk paying a huge penalty.
‘The company doesn’t believe any customer data left its systems, but at this stage they can’t be sure, especially as over 100,000 non-EU cards have been compromised.’
The Information Commissioner’s Office is investigating and urged anyone who feared they were a victim of fraud to follow the advice of Action Fraud.
It is understood the breach took place before new rules on data protection were introduced in May, meaning the company would not have had to notify authorities within 72 hours.
Dixons Carphone says it will write to affected to customers and give them advice
However, lawyer Edward Parkes, from law firm Harcus Sinclair, said customers could still be entitled to compensation.
He said: ‘If the breach is Dixons’ fault, customers will inevitably want to be compensated for any damages and distress caused as a result of hackers being in possession of their financial data.
‘The sum will not be large, somewhere in the range of £1,000 to £5,000, and possibly even higher if a customer’s identity was stolen as a result.’
He warned that hackers cold now send out emails posing as Dixons, a practice known as ‘phishing’.
Dixons hack Q&A: Information for customers
How can I find out if I’m affected?
Dixons says the vast majority of the cards involved – 5.8 million – have chip and pin protection and attackers have not gained access to pin codes, CCV (card verification value) security numbers or any authentication data which could enable them to identify the cardholder or make purchases.
However around 105,000 non-EU issued payment cards which do not have chip and pin protection have been compromised. Dixons says it immediately notified the card companies and banks, which are taking ‘the appropriate measures to protect customers’.
Separately, 1.2 million records containing non-financial personal data, such as name, address or email address, have been accessed but Dixons says it has no evidence at this stage that this information has left its systems or resulted in any fraud.
Dixons Carphone is writing over the coming days to those customers whose personal data was breached, ‘to inform them, to apologise, and to give them advice on any protective steps they should take’.
What is the advice from Dixons?
If you receive an unsolicited email, letter, text or phone call asking for personal information, never reveal any full passwords, login details or account numbers until you are certain of the identity of the person making the request.
If you think you have been a victim of fraud you should report it to Action Fraud, the UK’s national fraud and internet crime reporting centre, on 0300 123 2040 or on the Action Fraud website.
Is there anything else I can do to protect myself?
Anyone concerned they could be at risk of fraud should consider changing their online passwords, monitor bank and other online accounts and be wary of emails regarding the breach as scammers may try to take advantage of it.
How can I prevent myself from falling victim to a scammer?
If you receive a call from anyone you are not sure about, do not give out any personal details or passwords and take steps to check their identity.
Ask them to give you details only the company they claim to be calling from would know – for example, details of your service contract or how much you pay per month.
If you still have concerns about the caller’s identity, hang up and call the company back.
Bear in mind scammers may have access to more of your personal information than seems normal. So if you are at all suspicious hang up, look up the organisation’s number and call it yourself.
Dixons breach is latest in a series of hacking attacks on British firms
News of the Dixons hack comes the day after Yahoo‘s British arm was fined £250,000 for taking two years to tell half a million users that their personal information had been harvested by hackers.
Globally the personal data of 500million international customers was taken, including more than 515,000 in Britain during the breach in 2014.
But it took the web giant two years to publicly admit this – meaning that users of the popular email service were in the dark for years.
Last night, the Information Commissioner’s Office (ICO) accused the company of failing to take ‘technical and organisational measures’ to protect the data of 515,121 customers.
Hackers have repeatedly targeted British companies to access customers’ data
It emerged last year that around 400,000 people in the UK may have had their information stolen following a cybersecurity breach at the credit monitoring firm Equifax.
The US company said an investigation had revealed that a file containing UK consumer information ‘may potentially have been accessed’.
The data included names, dates of birth, email addresses and telephone numbers, but not not addresses, passwords or financial information, the company said.
In 2016, TalkTalk was hit with a record £400,000 fine for the security failings that led to the company being hacked in October 2015.
The Information Commissioner’s Office said the attack ‘could have been prevented if TalkTalk had taken basic steps to protect customers’ information’.
More than 150,000 people of the internet service provider had personal information access, including sensitive financial data of more than 15,000 customers.