Subscribe For Free
FOLLOW US

Dark web data sales fears after Dixons Carphone reveals hacking

Manny Pham
June 19, 2018

At the time of writing the company confirmed there had been no evidence of fraudulent activity as a result of the siphoned details

A top security expert has warned 105,000 Dixons Carphone customers are at risk of having details sold on the dark web after the firm revealed a hacking attempt last week.

That is according to co-organisers of UK Cybersecurity conference 44CON and security consultant Steve Lord.

“Those details will be exploited. Like any breach, what will happen is they’ll have their card details sold on the dark web for fraudsters to purchase, use and abuse.

“We don’t know how they have been hacked, we do know it was around 100,000 without chip and pin protection. In Carphone’s statement, it said the cards were non-EU issued which implies possibly US-issued.”

At the time of writing the company confirmed there had been no evidence of fraudulent activity as a result of the siphoned details. It had contacted all those affected.

Lord added: “The thing to keep in mind is Dixons Carphone and TalkTalk – which currently holds the world record for fines and data breaches – were one company. So, there’s going to be sharing in systems between both despite the demerger in 2009.”

Dixons Carphone confirmed the hack on June 13 after being targeted over the past year. Around 5.9 million card details were targeted but only 105,000 without chip-and- pin protection had been leaked.

New Dixons Carphone CEO Alex Baldock (pictured) said: “We are extremely disappointed and sorry for any upset this may cause.”

This was the second time in three years Dixons Carphone has had its security compromised, having been hacked in 2015.

The company has notified The Information Commissioner’s Office and Financial Conduct Authority which could mean a fine not as harsh if it were under the general data protection act (GDPR), which came into force on May 25. The first hack attempt was made in July last year.

Lord added: “The breach is from last year meaning any data protection act will be handled
by the ICO rather than GDPR. The maximum penalty for a data protection breach is £500,000 whilst GDPR is up to £20 million.”

Share this article