Dixons Carphone has begun contacting additional customers affected by the data breach it discovered back in June, admitting that the original 5.9 million estimate was considerably under the true figure of around 10 million customers' details.
The 2017 breach, which leaked data from servers containing customer records from Currys PC World and Dixons Travel stores around the country, was originally thought to affect 5.9 million customers' payment card details and 1.2 million non-payment records. While apologising for the breach, with Dixons Carphone chief executive Alex Baldock admitting that the company had 'fallen short' of its duty to protect customers, the company downplayed the severity, claiming that it had no evidence of financial losses suffered by its customers and that a mere 105,000 cards, registered outside Europe, were not protected by Chip and Pin and card verification value (CVV) security.
While the company's investigation has not uncovered any further evidence of fraud, it has revealed that considerably more data was taken than originally thought: In an email to affected customers sent out late last night, Dixons Carphone admitted that the breach's non-payment leak hit around 10 million customers whose names, addresses, phone numbers, dates of birth, and email addresses were taken during the attack.
'While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and we have no confirmed instances of customers falling victim to fraud as a result,' Dixons Carphone's chief customer office Antreas Athanassopoulos writes in the email. 'We are continuing to keep the relevant authorities updated. We take the security of your data extremely seriously and have previously announced that we have taken action to close off this access and have no evidence it is continuing. Nevertheless, we felt it was important to let customers know as soon as possible.
'We continue to make improvements and investments to our security systems and we’ve been working round the clock to put this right. We’re extremely sorry about what has happened – we’ve fallen short here. We want to reassure you that we are fully committed to protecting your data so that you can be confident that it is safe with us.'
Any penalties liable for Dixons Carphone's failure to properly protect customer data will be calculated using the original Information Commissioner's Office guidelines rather than the far more expensive General Data Protection Regulations (GDPR) guidelines, owing to the breach having taken place before GDPR came into force.