Dixons Carphone has revealed that its recent data breach was far worse than previously thought, with around 10 million customers’ private data accessed.
Last month the technology retailer revealed that 5.9 million customers’ bank details had been accessed, including 105,000 non-EU cards which were not protected by a chip and pin number, as well as 1.2 million personal records.
However, following an investigation into the major data breach, now said to be nearly complete, Dixons Carphone found that this number is in fact far higher.
“While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and there is no evidence that any fraud has resulted,” it stated.
“We are continuing to keep the relevant authorities updated.
“As a precaution, we are choosing to communicate to all of our customers to apologise and advise them of protective steps to minimise the risk of fraud.
“As we indicated previously, we have taken action to close off this access and have no evidence it is continuing.”
The cyber-attack, which occurred last July, was reportedly caused by an advanced computer virus – or malware – which penetrated processing systems at Currys PC World and Dixons Travel stores.
It is being investigated by the National Cyber Security Centre (NCSC) alongside other agencies – such as the Information Commissioner’s Office and Financial Conduct Authority.
Although the breach was discovered in the last few months, the fact it occurred within the last year – before the new European General Data Protection Regulation (GDPR) rules came into effect on May 25 – the maximum possible fine imposed would be £500,000.
Under the new GDPR rules, Dixons Carphone would be fined up to four per cent of its annual global revenue, which is estimated to be around £423 million.
Chief executive Alex Baldock said: “Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right.
“That’s included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today.
“As a precaution, we’re now also contacting all our customers to apologise and advise on the steps they can take to protect themselves.
“Again, we’re disappointed in having fallen short here, and very sorry for any distress we’ve caused our customers.
“I want to assure them that we remain fully committed to making their personal data safe with us.”