Member Article

Dixons Carphone: the first post-GDPR breach

It has been revealed that Dixons Carphone was the victim of an ‘unauthorised data access’ which involved the compromise of 5.9 million cards, whilst 1.2 million personal data records, including names, email addresses and addresses, were stolen. There is currently no evidence that the details stolen have been used for fraudulent activity. This breach is the first to hit the headlines since GDPR was enforced on 25th May, and whilst the breach began in July 2017, it will be interesting to see what the penalties are given the breach was only uncovered in the past week.

“The scale and time-frame of this data breach is staggering,” said Ross Brewer, VP and MD EMEA at LogRhythm. “Initial attempts to access data began in July last year, yet this was only discovered over the past week, indicating that the company lacks vital threat detection capabilities.”

Brewer continued: “As the first major data breach to hit headlines since GDPR was enforced last month, there will be many companies keeping a watchful eye over how this is handled. Under these new regulations, companies can be fined up to 4% of their annual turnover if they fail to protect their data, however, with this breach taking place pre-GDPR, it’ll be interesting to see what approach the ICO takes. Either way, it’s likely that Dixons Carphone will be hit with a hefty fine for lax security.

“With the implications of a data breach so widely discussed – particularly in the lead-up to the implementation of GDPR – it constantly surprises me that businesses are not investing in the right tools to protect their data. While some may have given into the inevitability of a data breach, the repercussions of a successful attack under GDPR are now so much more severe. Reputations can be rebuilt, but not a lot of businesses can say they won’t be impacted by a significant fall in shares and a huge GDPR fine – even one as big as Dixons Carphone.

“Businesses must ensure they have tools in placed that can quickly identify anomalous activity from the outset. Threat detection tools such as User and Entity Behaviour Analytics (UEBA) are intelligent enough to know what is legitimate behaviour on the network and what is not, allowing businesses to shut down unauthorised access before any data has been compromised. If Dixons Carphone had had this in place last year, they would have been able to nip this in the bud without any unwanted attention; instead they will become the poster boy for post-GDPR data breaches,” concluded Brewer.

This was posted in Bdaily's Members' News section by LogRhythm .