UK’s Dixons Carphone admits huge data breach

These pieces of information seem important (quotes from article):<p>1) It is investigating the hacking attempt, which began in July last year.<p>2) Dixons insists that it only discovered this latest hack a week ago<p>3) &quot;The hackers had tried to gain access to one of the processing systems of Currys PC World and Dixons Travel stores, the firm said.&quot;<p>4) here was &quot;an attempt to compromise&quot; 5.8 million credit and debit cards but only 105,000 cards without chip-and-pin protection had been leaked<p>5) The good news is that nearly all of them were protected by good old chip and pin - and there is no evidence of any fraud relating to the 100,000 non European cards which didn&#x27;t have that protection.<p>All of this suggests that rather than an attempt to breach a database or storage system, the attack was persistent and similar to that which occurred to Target where attackers breached the POS card terminal payment processing system.<p>Altogether a more &#x27;worrying&#x27; type of attack given the length of time it was in place.

Note that this is the second hack in 3 years they&#x27;ve had to disclose and they were fined £400k for that hack [1], which was obviously not enough to incentivise them to invest further in their security. Wonder what the ICO will do this time.<p>[1] <a href="https:&#x2F;&#x2F;techcrunch.com&#x2F;2018&#x2F;01&#x2F;10&#x2F;uks-carphone-warehouse-fined-nearly-540k-for-2015-hack&#x2F;" rel="nofollow">https:&#x2F;&#x2F;techcrunch.com&#x2F;2018&#x2F;01&#x2F;10&#x2F;uks-carphone-warehouse-fin...</a>

I think by now governments should have a service that gives citizens placeholder personal-information. So you could go to a shop and say: my name is X1, my address is X2, and my phone number is X3. If they want to send you a letter, they use the X information. The postal office has a special contract with the government, and can ask it to translate the information to real information.<p>It sounds cumbersome, and it is, but companies have shown they can&#x27;t handle the information.

&quot;Luckily for Dixons, the incident happened before the new GDPR rules, which promise much bigger fines, came into force.&quot;<p>I wonder how many hacks we&#x27;re going to hear about in the next few months which fall into the same category... [rolls eyes]

Once the personal data is out, it is out, we can do nothing about it. It is not only credit card number that matters, our personal information matters the most. Unfortunately, we haven&#x27;t seen any exemplary punishment for the responsible parties, nor have we seen any solid step taken in general to prevent data breach. It seems regular data breach is just to make us comfortable without a tail (reference to Aesop&#x27;s fable: THE FOX WITHOUT A TAIL)

I noticed this warning on the Talk Talk direct debit details page, two weeks ago: <a href="https:&#x2F;&#x2F;twitter.com&#x2F;lexburdusel&#x2F;status&#x2F;1001994580672344064?s=03" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;lexburdusel&#x2F;status&#x2F;1001994580672344064?s...</a>

Given they say this only affects cards without chip-and-pin, this is probably of interest to people from the US who have flown in to British airports, as Dixons operate electronics stores selling things like portable USB chargers, headphones, kindles, SD cards, etc in most large UK airports.

&quot;The good news is that nearly all of them were protected by good old chip and pin&quot;. - So what data is usually stored for chip and pin users? - Does that mean non-chip and pin users&#x27; entire card data was stored in DB?

Unsurprising, TalkTalk also has been breached badly. TalkTalk was spun out of Carphone a while back. Seems something very rotten with their approach to infosec.

5.9 is not huge. What about the hundreds of millions that leaked from Equifax. That&#x27;s huge.

Carphone, Stagecoach, these Brits really seem to like naming their companies after obsolete technology.

Funny thing last year this time I was picking up a camera and the till next to me was some guy buying SIM with some ID or proof of address requirements.<p>He was like &quot;Sorry I don&#x27;t have ID with me ...bla bla bla..., I have it on my e-mail, can I use your computer?&quot;<p>And staff was like OK here you go, and they let him behind the counter to use their PC.<p>I was there good 5 minutes and the guy was still using the staff computer when I was leaving.<p>And I was in my head like &quot;WTF?&quot;

I was the victim of identity fraud at a Carphone Warehouse branch. Someone set up 2 new contracts on 2 different networks using nothing but my address, bank account details and a fake id (paid cash for the upfront payment). Their incompetence is mindblowing. This company is going to £0.