By James Davey
LONDON (Reuters) - British mobile phone and electricals retailer Dixons Carphone has become the victim of a major cyber attack for the second time in three years after discovering unauthorized access to its payment card data.
Shares in Dixons Carphone, which issued a profit warning last month, fell as much as 6.4 percent on Wednesday, taking year-on-year losses to 37 percent.
"We have taken action to close off this access and have no evidence it is continuing. We have no evidence to date of any fraudulent use of the data as result of these incidents," the company said.
It said an investigation, which started last week, indicated there was an attempt, going back to July last year, to compromise data on 5.9 million credit cards in one of the processing systems of Currys PC World and Dixons Travel stores.
It said 5.8 million of these cards had chip and pin protection and the data accessed contained neither pin codes, card verification values nor any authentication data that would enable cardholder identification or purchases to be made.
However, it said 105,000 non-EU issued payment cards which do not have chip and pin protection had been compromised. Dixons Carphone said it had immediately notified the relevant card companies so that they could protect customers.
It said it had found no evidence of any fraud on these cards as a result of this incident.
Dixons Carphone said it had also found that 1.2 million records containing non-financial personal data, such as names, addresses or email addresses, had been accessed. It said there was no evidence of fraud here either.
However, Britain's National Crime Agency (NCA) said it was heading a criminal investigation into the hack, working with the National Cyber Security Centre, the Financial Conduct Authority and Britain's data protection regulator, the Information Commissioner’s Office (ICO).
"The complexity of these inquiries means this is an investigation which will take time" said Mike Hulett, the NCA's head of operations.
The ICO said it was liaising with the National Cyber Security Centre, the FCA and other agencies to determine the impact on customers.
The group's Carphone Warehouse division suffered a data breach in 2015 and in February this year was fined a record matching 400,000 pounds ($533,240) by the ICO. It paid 320,000 pounds as there was a 20 percent reduction for early payment. It said since the 2015 attack it had worked extensively with cyber security experts to upgrade its security systems.
In 2016 the ICO fined broadband provider TalkTalk 400,000 pounds for security failings that allowed hackers to launch a cyber-attack in 2015.
"DISAPPOINTED AND SORRY"
"We are extremely disappointed and sorry for any upset this may cause," Dixons Carphone CEO Alex Baldock said.
"The protection of our data has to be at the heart of our business, and we’ve fallen short here."
Baldock joined Dixons Carphone in April and last month the group warned on profits and said it would have to close shops, wiping more than 500 million pounds off its stock market value.
Russ Mould, investment director at AJ Bell, said the cyber attack could undermine consumer confidence in the retailer.
"The fact this only came to light now thanks to a review of the company’s systems and data and actually occurred in 2017 is also cause for some concern," he said.
Because the data breach dates back to last year it will be dealt with by the ICO under the powers of the Data Protection Act 1998 and not the European Union General Data Protection Regulation (GDPR) which went into effect on May 25.
The maximum possible financial penalty under the 1998 Act is 500,000 pounds as opposed to 17 million pounds under GDPR.
(Additional reporting by Jack Stubbs and Andrew MacAskill, Editing by Kate Holton, Susan Fenton and Alison Williams)