Dixons Carphone has issued an update on the data breach it revealed in June – the problem was worse than originally thought. Retail Connections gathers insights from the industry on where the retailer goes from here.
Electricals retailer Dixons Carphone has been putting further security measures in place to safeguard customer information and it has increased its investment in cybersecurity, following the announcement in June of a data breach impacting millions of customers.
The business detailed on 31 July how it has now added additional controls to protect against future attacks, and it said the company has been “working intensively” with an array of cybersecurity experts.
It indicated the investigation is nearing competition, but that it has identified approximately ten million records containing personal data may have been accessed in 2017 – just under nine million more than originally calculated, in June. There is evidence, it suggested, that some of this data may have left the company’s systems, although these records do not contain payment card or bank account details, and there is apparently no evidence of any fraud.
Dixons Carphone CEO Alex Baldock, who only joined the company earlier this year following a successful tenure at Very.co.uk and Littlewoods owner Shop Direct Group, said: “Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right.
“That’s included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today. As a precaution, we’re now also contacting all our customers to apologise and advise on the steps they can take to protect themselves.”
He apologised to customers, as he did in June when the issues first came to light, and said the organisation remains “fully committed to making their personal data safe with us”.
The breach reinforces the concept that breach detection doesn’t translate to protection, according to Simon Bain, CEO of security tech company BOHH Labs.
Fragile retailers must take control of their own cybersecurity measures or risk further damaging consumer confidence, he says, explaining: “Unfortunately, it appears to be the case of another day, another breach.
“While the breach has only just come to light, it’s been revealed that the incident actually occurred back in July 2017. Worryingly, this reinforces how in the dark organisations are when it comes to security – in this case, for almost an entire year, the company had no idea it had been impacted by a data breach.”
He adds: “For a sector already with its back to the wall, this will only create more concerns and nervousness amongst both retailers and consumers.”
A recent study sponsored by IBM Security, using research independently conducted by Ponemon Institute, found the mean time to identify a breach is 197 days, and the mean time to contain is 69 days.
“This means that on average, it takes half a year to identify a breach,” notes Bain.
“Imagine how much data an attacker could get in that amount of time while going unnoticed – the results will simply be catastrophic.”
The difficulties companies face with delayed detection of data breaches can lead to unsurmountable losses for companies, specifically under the new regulations introduced this year, warns a cybersecurity expert at World Wide Technology.
Ben Boswell, VP Europe at World Wide Technology, comments: “Under GDPR, data governance, including secure storage, access, audit and mapping, is now a direct responsibility of the business, and failure to comply can lead to heavy fines.
“To avoid a similar crisis, the first step organisations must take is to understand the intricacies of the existing security structure. This will enable them to be able to detect unusual activity and put a quick response in place to safeguard sensitive customer data.”
Boswell argues that as the internet of things movement gathers pace in retail, with more and more connected devices and systems entering the business environment, technology that continually monitors and reacts to data anomalies will be essential to ensuring fast responses to security breaches.
“Without these systems in place, retail organisations will continue to expose customer data to security compromises and risk not only sensitive customer information but also incur crippling fines under GDPR,” he adds.
Dixons Carphone is one of many
Data breaches are on the increase at retail businesses, with US behemoths Macy’s, Sears and Best Buy among those affected since January 2017. Earlier this year, it was also revealed that the parent company of Costa Coffee, Whitbread, was the subject of a data breach after a cyberattack was carried out on its recruitment agency, PageUp.
The attack potentially left data, including address, email, phone numbers, and dates of birth open to thieves. It’s not just Dixons Carphone left feeling the impact of an attack.
A KPMG study found that 19% of consumers would stop shopping at a retailer after a breach and 33% would take a break from shopping there for an extended period if they were aware a breach had occurred.
And in its recently-published Security Guide, Vodat International outlines some of the tactics used by hackers to infiltrate Wi-Fi networks – and explains how retailers can fight back against them.
Paul Leybourne, head of sales at Vodat International, says: “Without sufficient security, hackers can access a Wi-Fi network and monitor data traffic, disrupt transactions and even launch a distributed denial of service attack, stopping a store from trading altogether.
“Hackers can also set up a fake Wi-Fi hotspot on-site, tricking both staff and customers into logging on so that personal details, including identities and passwords, can be accessed.”