Dixons / Carphone, the company behind Currys PC World, is still investigating a hacking attempt which involved almost six million credit and debit cards, plus 10 million customer data records (previously reported by the firm to be 1.2m).
The breach – according to the firm – was discovered in June 2018, but the hack itself occured in July 2017.
Dixons Carphone says that virtually all the cards are safe because they’re protected by the chip-and-pin system, and none of the data from 105,000 older, unprotected cards has been used fraudulently. Those cards are non-European, so if you have UK-issued cards, you shouldn’t be affected.
It isn’t the first time the company has failed to adequately protect payment card data as it suffered a similar breach in 2015 where the details of almost a million cards were compromised. TalkTalk and Vodafone were also hacked in the same year.
Have my card details been leaked in the hack?
Unless you have been contacted by Dixons Carphone or your card company, you are probably in the clear.
The hackers targeted the long number on credit and debit cards, but not PIN or verification codes. What this means is that you as the cardholder cannot be identified, nor can purchases be made with the information, so long as it is a chip-and-pin card.
What about my personal data?
Originally, Dixons/Carphone said 1.2 million customer records were accessed in the breach, but has now revealed the figure is almost ten times that at 10m.
The records contained non-financial data including names, addresses and email addresses.
The company says that there is no evidence that data actually left its system, or has resulted in any fraud. It also said it will be apologising to customers, but didn't specify when or how it would do that.
There's still no advice or steps to take from Dixons /Carphone on what those affected should do.
What can I do to keep my data safe?
Unfortunately, once you hand over your personal and financial information to another company, there is nothing you can do but trust they will keep it secure and safe.
The GDPR rules introduced at the end of May mean companies must now take much better care of that data and face fines of up to £17.9m if they don’t.
Since the breach occurred before the new laws came into effect, Dixons Carphone might be fined up to the maximum of £500,000 under the old data protection laws.
Change your password
If you have an account with Currys PC World or any Dixons Carphone company, it’s worth changing the password.
Don’t use the same password you use for any other account, and don’t reuse old passwords.
Monitor your bank account
Keep an eye on your accounts for any unknown activity, and speak to your bank if you see any transactions you think could be fraudulent.
Don’t get scammed
As with any data breach, be extra vigilant of scams, particularly via email. Our advice is simple:
- Don’t click on any links in emails until you’ve verified they’re genuine and legitimate
- Don’t download or open any attachments unless you’re sure they’re safe
- Get some good antivirus software and keep it up to date
- Don’t give any details to cold callers