An investigation into one of the UK’s biggest data breaches at a single firm is under way after the data-protection watchdog confirmed it was looking into the cyberattack that has affected nearly 6 million payment cards.
The UK Information Commissioner’s Office and the National Cyber Security Center, a branch of Britain’s intelligence and security service GCHQ, said it is working with the retailer and other agencies following the attack which also involved the unauthorized access of 1.2 million personal records of Dixons Carphone Customers.
The retailer said it only identified the breach while reviewing its data and systems. A second breach also involved the theft of personal data such as names, addresses, and email addresses.
“Anyone concerned about fraud or lost data should contact Action Fraud and we recommend that people are vigilant against any suspicious activity on their bank accounts,” the NCSC said.
Of the 5.9 million cards whose data was stolen, 5.8 million were chips and pins protected and no card verification values (CVV) or pin codes or authentication data were accessed, meaning purchase cannot be made. A further 105,000 payment cards from beyond the EU, with no chip or pin protection, were accessed.
After the announcement of the breach, Dixons Carphone shares fell up to 6% at one point on Wednesday after investors envisioned potential damages to the brand as well as a plausible steep fine. Previous Data Protection Act rules mandates a maximum fine of £500,000. Under the new GDPR rules that kicked in on May 25th, firms could face a maximum of €20m (£17.6m) or 4% of global turnover, whichever is the greater.
“We will look at when the incident happened and when it was discovered as part of our work, and this will inform whether it is dealt with under the 1998 or 2018 data-protection acts,” the UK Information Commissioner’s office said in a statement.
Image credit: Pixabay.