Less than a month after GDPR came into force, Dixons Carphone has announced that it has been subject to a massive data breach that has compromised a wealth of customer data, include some payment details of 5.9 million customers. The incident will likely cause significant reputational damage, but it could also lead to massive fines if the UK’s regulatory authority decides to bring the full weight of GDPR down on the company.
Under GDPR, an organisation can be fined up to 4% of annual global revenue if it is deemed to have failed to comply with the new law in its handling of customer data. And for Dixons Carphone, which had revenue of £10.5bn in 2017, this would mean a maximum of fine of approximately £423m.
This represents a significant step up from the last fine the company faced for a data breach, showing the stark impact of the GDPR legislation.
“The company was hit with a £400,000 fine earlier this year for the 2015 breach, which affected over three million customers. In light of the fact that GDPR has now come into force, the fine the company will face for this latest breach could be substantially more,” said Oz Alashe, CEO of cybersecurity training platform CybSafe.
However, while it was only just announced, the breach occurred before GDPR came into effect. As a result, it remains unclear whether the UK’s regulatory body the Information Commissioner’s Office (ICO), will decide to issue a fine under GDPR.
What data did Dixons Carphone lose in the breach?
In a release issued this morning, Dixons Carphone confirmed that there was an “attempt to compromise” 5.9 million cards in one of its store payment systems. However, it added that pin codes and CVV numbers were not included, meaning only 105,000 of the cards – the ones without chip and pin protection – were at risk of being used to make payments. The company also added that it had immediately notified the relevant card companies.
In addition, the company confirmed that 1.2 million records containing “non-financial personal data” such as names, addresses and email addresses had been accessed.
While the company was keen to state that it had “no evidence that this information has left our systems or has resulted in any fraud at this stage”, others are more skeptical about the likelihood of the data getting into the wrong hands.
“While there’s no evidence yet that the stolen card details have been misused, it is unfortunately probably more a case of when rather than if,” added Alashe.
“It is commonplace that bulk stolen credit card numbers are not used immediately, as it takes time to resell them on the dark web. Criminals also want the attention around the breach to die down before using them.”
How likely is it that Dixons Carphone will be fined under GDPR for the breach?
Whether Dixons Carphone will be fined under GDPR is not yet clear, with the ICO at this stage issuing a short statement:
“An incident involving Dixons Carphone has been reported to us and we are liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers.”
For other companies that may be concerned about their own potential breaches, the ICO’s decision will be key.
“This will be an interesting precedent, as the the breach occurred pre-GDPR enforcement date, but the impact to victims will happen post-GDPR enforcement date,” said Andy Norton, director of threat intelligence at Lastline.
“It will also be a dilemma for the ICO office, who has shown a preference not to impose large GDPR like fines. However, this is now the second occurrence and the ICO office will not want to be seen as being tolerant of data breaches.”
“It will be interesting, and noteworthy, to see how the ICO respond to this breach as it will likely set a precedent for those that follow, and certainly kick others into action if they haven’t already ensured they are meeting, or at least attempting to meet, the new requirements,” agreed Simon Cuthbert, head of international at 8MAN by Protected Networks.
“If Dixons Carphone are unable to provide information on who accessed the data, when, and what they did with it, and deliver a report that evidences this, then they stand a risk of really falling foul of the regulator.”
A lucky escape?
However, others felt that the timing of the breach meant the ICO would not issue Dixons Carphone with a fine under GDPR.
“Dixons was ‘lucky’ to have had the breach before the GDPR regulation became effective, and the impact of the breach on their business was limited to 5.5% fall in the share price,” said Itsik Mantin, lead scientist at Imperva.
“Had the breach happened later than May 25, and if found guilty of not taking proper measures to protect their users’ data, they could have suffered the higher barrier of the GDPR’s monstrous fines.”
Legal experts, however, may not agree. Just a few weeks before GDPR came into effect, a leading data protection lawyer predicted that the first incident to be handled under the law would have already happened.
“The reality is that the breach, the incident has already occurred that is going to be the first one that is going to be dealt with in the new regime,” said Mark Deem, partner at law firm Cooley UK, in a talk reported on by Verdict’s online cybersecurity magazine Verdict Encrypt.
Even if they are fined under GDPR, the ICO may opt to give them a warning fine in acknowledgement of the timing.
“As the breach happened before GDPR and it is a new regulation, Dixon’s Carphone might not be subject to the full fines but the ICO could make a point of publicising how much they could have been fined by fining them an ‘insignificant’ amount,” said Paul German, CEO of Certes Networks.