back to article Dixons Carphone 'fesses to mega-breach: Probes 'attempt to compromise' 5.9m payment cards

Retailer Dixons Carphone has gone public about a hack attack involving 5.9 million payment cards and 1.2 million personal data records. In a statement (PDF), Dixons Carphone said that "unauthorised access" of data held by the company had prompted an investigation, the hiring of external security experts and efforts to shore up …

Page:

  1. Blockchain commentard

    Announced so soon after GDPR becomes law. Coincidinks?

    1. RAMstein

      No - that's now a requirement :-)

      I've no doubt they'd rather had this discovered under the old regime.

    2. TkH11

      They have known about a possible data breach since last year. The company's data protection team must be staffed by morons. They could have reported the breach under the Data Protection Act and received a maximum of £500,000 fine, now they have chosen to report the breach under GDPR the fine could theoretically run into the hundreds of millions of £££. Why? Because their turnover is £10billion

    3. Anonymous Coward
      Anonymous Coward

      The GDPR became law in 2016. It's not *that* soon.

      1. Netbofia

        But implementation only occurred on the 25 of the past month.

  2. taxman
    Meh

    Half a story

    What I find interesting about a large number of these data breach stories is that so often there is one piece of information missing that is really useful - the period of the breach. This is not even mentioned in the press release from Dixons.

    1. Anonymous Coward
      Anonymous Coward

      Re: Half a story

      1st line of BBC article: "It is investigating the hacking attempt, which began in July last year.".

      July. 2017. Nice of them to tell everyone now.

      1. David Adams

        Re: Half a story

        "It is investigating the hacking attempt, which began in July last year.".

        But when did the breach finish?

        August last year? last week? Makes a big difference

      2. Fruit and Nutcase Silver badge
        Thumb Down

        Re: Half a story

        ...BBC article goes on to state

        Dixons insists that it only discovered this latest hack a week ago and it has no connection with any previous incident.

        So it's been going on undiscovered for 11-12 months now

      3. Anonymous Coward
        Anonymous Coward

        Re: A whole year.

        So nice of them to tell everyone a whole year after then could have actually done anything about it and prevented any loss.

    2. Anonymous Coward
      Anonymous Coward

      There's another weasel clause right there

      Can you back-date a firm's data-crimes to escape GDPR fallout? CEO's / Corporate Executives like to back-date their Stock Options! GDPR still leaves lots of room for other weasel clauses:

      --------------

      https://www.securitynow.com/author.asp?section_id=613&doc_id=740638

      1. ibmalone

        Re: There's another weasel clause right there

        Can you back-date a firm's data-crimes to escape GDPR fallout?

        One principle of laws is that civilised countries don't generally make things retrospectively illegal. I.e. outlawing the purchase of red lollipops doesn't let you arrest everyone who bought one last week.

        What I'm not sure about is where reporting undisclosed breaches prior to GDPR stand, you could certainly be required to report a recent breach that occurred prior to the legislation, as not reporting it is something you would be doing now. (Not having read those requirements in detail I'd guess this is addressed.)

        1. }{amis}{
          Headmaster

          Re: There's another weasel clause right there

          Can you back-date a firm's data-crimes to escape GDPR fallout?

          I asked my company's semi-tame in-house lawyer this question this morning.

          His response was that for Criminal law you will be judged and sentenced under the law that was in effect at the time of offending.

          What can throw a spanner into the works though is the case law ie the interpretation of law can change and the most current interpretation is always used.

          1. TkH11

            Re: There's another weasel clause right there

            The lawyer is right about law not being applied retrospectively, but there is an interesting legal issue here. That of when they reported the breach. They could have reported the breach under DPA but they left it and reported it under GDPR. So which is relevant, when the breach occurred, or when they detected it, or when they reported it?

            1. Adam 52 Silver badge

              Re: There's another weasel clause right there

              "So which is relevant"

              Neither. Because your question is based on a fundamental misunderstanding of breach notification rules.

            2. Lusty

              Re: There's another weasel clause right there

              "So which is relevant, when the breach occurred, or when they detected it, or when they reported it?"

              If only there were some kind of document we could consult to find such answers...Oh yes, they wrote the GDPR down so we don't have to guess.

              It's only 88 pages long including <intentionally blank> bits, just read it!!

            3. Andy Humphreys

              Re: There's another weasel clause right there

              My bet is that they were actually performing a data/systems check for GDPR (a little late) and in that process they found they had been breached last year. So now they know about the breach, they have to report it in under 72 hours. My view is that it points to the theory that they have relevant event logging, but nobody was monitoring it, or, if there was an alert, it was missed or ignored? Either way, seems like a cock-up..

        2. Anonymous Coward
          Anonymous Coward

          Re: There's another weasel clause right there

          Try telling that to HMRC....

        3. SME Integrator

          Re: There's another weasel clause right there

          Er....yes they do. they retrospectively changed the law on trusts to create exactly that situation, what was OK at the time subsequently wasn't

  3. Pen-y-gors

    A fairly basic question...

    Why do all these businesses store credit card details? Small businesses have a system where they let a payment provider take the details and just say yes/no. Or even if the details are gathered locally, why do they need to be stored on a customer record once the details have been transmitted to the bank and the payment authorised?

    That would expose far fewer bits of critical data. Before now I've refused to develop an online shop for a customer who wanted to store CC details!

    And lets face it, if they crack the bank, Worldpay or Paypal you're stuffed anyway. Getting your CC details will be the least of the problems.

    1. steviebuk Silver badge

      Re: A fairly basic question...

      Because unfortunately most of us are lazy and don't want to have to enter are details every time you're ordering something. Especially annoying if you have to do it on the phone while you're secretly shopping while at work.

      1. Alister

        Re: Why do businesses store credit cards

        Because unfortunately most of us are lazy and don't want to have to enter our details every time you're ordering something.

        Even then, if done properly, there is no need to store the full card details anywhere on the system.

        Instead, you store an authentication token from whichever payment gateway provider you use (Verifone, World Pay, All Pay etc) which is generated on the first purchase. This authentication token is unique to the user's card and CVV, and can therefore be used for subsequent purchases.

        You would typically store the last four digits of the card, simply to be able to present it visually to the user in their account details on your site, so they can identify the card, but it isn't used for transactions.

        The CVV should never, ever be stored.

        1. Anonymous Coward
          Anonymous Coward

          Re: Why do businesses store credit cards

          Simply because they were allowed to, and still without real penalty for when the data gets "leaked"

          Since the trade in personal information was also not restricted then the "leak" that does get reported is not necessarily the first nor the last.

          1. Anonymous Coward
            Anonymous Coward

            Re: Why do businesses store credit cards

            I bought a phone from CPW in January, with a UK card not used elsewhere, Monday get a call to tell me it's been fraudulently used to buy Tesco mobile stuff and viagogo tickets to the value of about a grand.

            I suspect Dixons only found out about this fraud because the credit card companys that were seeing fraud linked them..

            It also seems to be untrue that CVV data wasn't accessed...

        2. Adam 52 Silver badge

          Re: Why do businesses store credit cards

          "Instead, you store an authentication token from whichever payment gateway provider you use"

          And then, unfortunately, you're locked in to that payment provider forever.

          1. Anonymous Coward
            Anonymous Coward

            Re: Refunds

            By law the payment system has to be able to put a refund back on that card. Why it is stored in house and not in the payment system is the real question. Or why it is stored for future automated payments or quick checkouts is the other.

            But the storage needs to be there for the refund system as far as I know.

            1. Adam 52 Silver badge

              Re: Refunds

              "By law"

              It's not by law. By contractual arrangement probably.

              No reason why a refund couldn't be associated with a transaction rather than a card, after all chargebacks are, but, yes, it does seem to need the card.

    2. Lee D Silver badge

      Re: A fairly basic question...

      I work for private schools.

      They all want to take credit cards etc. on their website, tied in with the school MIS, so that parents can pay for trips, fees, activities, uniforms, etc.

      Despite working for many schools over the years, it's never ONCE resulted in anything actually in-house, because it's just such a bad idea. PCI DSS is no simple matter, especially when you want to tie into their school records (i.e. they were here X days a year, so we charge them for X activities / etc.).

      Most state schools use a handful of outside providers for their equivalent (which is usually just cashless catering) and let that provider take their percentage to handle all the security.

      But all the private schools I've worked in don't risk that, even if they run their own in-house MIS (which makes GDPR so much easier!). They use card machines (and ask people to visit with their card or at best take the details over the phone and type into the card machine as CNP transactions), Direct Debits, etc. or they use something like WorldPay or similar, but they don't store / process card information themselves.

      I see PCI DSS as a "good thing". The fact that it discourages people from running their own databases like this is exactly what you want. Unless you have the confidence and evidence that you are able to store this data in the correct manner (and Dixons don't seem to have done a bad job - no CVV, no link to personal data/address, etc. just means a big list of mostly-useless numbers), then you shouldn't be doing so.

      And, yes, we do get targeted. We literally get targeted, faked, convincing email pretending to be the bursar (down to first-name familiarity and copying their style) to the finance department asking to pay something urgently, or we get fake "new bank details" for existing companies and when we phone up to confirm are told that they haven't changed their bank details, and phone calls from the scammers to follow up on them. I have reported several to various cybercrime reporting sites linked to the police.

      But just having a good process is good enough to stop those kinds of things ("New bank details"? Okay, I'm going to ring your head office details that I have on your previous invoices on another line to confirm that).

      However, I can't imagine the carnage if such a place was to store credit card details protected only by the diligence of basic finance staff in an over-worked office. And then consider, that actually the more valuable information is probably in the school MIS anyway. Almost every private school I've worked at holds the details of at least one celebrity, including child's names, real address (not just agent), where they summer, what their mobile phones are, ***who is allowed to pick them up and when***, and potentially lots of personal data (e.g. divorced couples spats with the school, etc.). Before you even get into credit card numbers.

      And it's not just celebrities. If you've ever worked for a private school, you'd be aware of who the army brats are, and I can damn well guarantee you one of them has an "anonymised" profile for a reason. But the real information will still be in the database somewhere.

      1. Anonymous Coward
        Anonymous Coward

        Re: A fairly basic question...

        "where they summer"

        Holy fuck now I know for sure I'm one of the little people.

      2. TkH11

        Re: A fairly basic question...

        If the data was unencrypted then they HAVE done a bad job.

    3. FuzzyWuzzys

      Re: A fairly basic question...

      I can think of a few cases...

      They want CCs someone wrote some shitty payment system for their website and they don't want to bugger about with trying to tie to a proper payment vendor.

      A payment vendor will charge a management fee to handle the transaction and places like "CackPhone Whorehouse" don't want to pay the fees and would rather put your info at risk.

      The want the CC data in case you spend money at another company under control of their parent conpany, then they can tie all that juicy data together without having to a)wait for another data breach release on the black market or b) having to pay some shyster to hack Facebook accounts for your toilet habits!!

    4. Moog42

      Re: A fairly basic question...

      'Would you like to create an account to make your shopping experience easier next time?'

      Right up until we lose it.

      11 months is a long time, have they just been holed up in The Winchester hoping it will all blow over? And really not quite sure how they can be so certain that nothing has happened with those details in all that time?

    5. Stuart 22

      Re: A fairly basic question...

      "Why do all these businesses store credit card details?"

      These are very high numbers for people who elect to have their cards saved when making an online burchase from DSG. Looks more like DSG have logged every purchase.

      Given I've bought stuff in-shop and online but not stored - have my details been leaked or not? I await some correspondence from DSG with interest.

  4. Anonymous Coward
    Anonymous Coward

    How can it be accessed without leaving their systems in those volumes? Do you not need to read the record to leave an access in the log.? This announcement seems strangely worded to me but that's probably something to do with GDPR.

    1. Doctor Syntax Silver badge

      "This announcement seems strangely worded"

      It's just the usual "poor, injured, innocent us, hacked after all the care we take to look after your data" line.

  5. mrdalliard
    Mushroom

    "We are extremely disappointed and sorry for any upset this may cause."

    <gah>

    What is it about corporate statements?

    Instead of "We got compromised and we're sorry we let that happen.", we get that. There's this continual thing in corporate communications where they're "sorry" that an event occurred and they're "sorry" about any inconvenience caused, but why do they word things in such a way that almost distances them from taking any ownership, like "Sorry. We fucked up" ?

    Again.

    </gah>

    M.

    1. Doctor Syntax Silver badge

      Re: "We are extremely disappointed and sorry for any upset this may cause."

      "why do they word things in such a way that almost distances them from taking any ownership"

      Because anything they say could be taken down and used in court against them.

    2. Anonymous Coward
      Anonymous Coward

      'why do they word things in such a way that almost distances them from taking any ownership'

      ... Accountability.... That's why Zuk lied to lawmakers for 11 hours straight... Until more firms start taking a 300m FedEx / Maersk like hit to their bottom line, losing your details is just the cost of doing business! As to why firms keep storing card details instead of purging them? ... Billing convenience. So they can always bill you, no matter what, without risk of mistake from repeated entry.

  6. Doctor Syntax Silver badge

    "Treating all communications with suspicion for the next few months ever is probably a good idea, especially in situations where any form of login details are required."

    FTFH

    1. I ain't Spartacus Gold badge
      Unhappy

      Especially if it's a communication from PC World!

      Did you see that scam advert for gold plated HDMI cables at £100, that give you a better picture. Who'd believe that shit? Oh hang on, that was genuine wasn't it. I overheard the guy in the shop selling the damned things.

      1. James O'Shea

        Oh, please... a mere 100 GBP? A pitance. Here in Deepest South Florida, at my local Best Buy they have $300 to $400 HDMI cables _in stock_ and can special order $600-700 cables. My fav Best Buy HDMI cable, the $1095 one, doesn’t seem to be available any more. Or maybe they’re just too embarrassed to admit that it ever existed.

        I go to Best Buy mostly to get a laugh, those boys are living in a world all their own.

        1. I ain't Spartacus Gold badge

          I'll happily pay $1,000 for an HDMI cable. So long as it carries the signal, cooks my dinner and makes the tea, while I'm watching telly.

          Otherwise the only use it would get is to stangle the person that tries to sell it to me.

  7. Crisp

    Information was accessed but hasn't left their systems?

    If it's been accessed, then that's how it left your system.

    1. Brewster's Angle Grinder Silver badge

      Re: Information was accessed but hasn't left their systems?

      It probably means they've found malware on the system, but have no evidence its recognised its hit the mother lode and started exfiltrating data.

    2. David Nash Silver badge

      Re: Information was accessed but hasn't left their systems?

      It's completely meaningless. What does "leaving the system mean"? Erased? nobody thinks that's happened. Transmitted to another party - of course, that's what "accessed" means. Unless the hacker was reading the HDD with a compass needle!

  8. alain williams Silver badge

    Me feeling happy ...

    that when I last bought something at Dixons that I refused to give my email address when the checkout operator insisted that I had to ... I think that he either entered his own address or invented something bogus.

    1. Robert Sneddon

      Useful fallbacks

      postmaster@example.com always works. Me@127.0.0.1 is also worth trying.

      1. stiine Silver badge
        Devil

        Re: Useful fallbacks

        I always use anon@y.mo.us I don't think I've had any sites reject that email address.

      2. Threlkeld

        Re: Useful fallbacks

        spamgourmet.com

      3. Dr Dan Holdsworth

        Re: Useful fallbacks

        root@warez.bofh.org.uk is always a good one. That particular domain registration thing was done several times in the past for comic effect, but warez.bofh.org.uk is the only one left that I know of.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like