Dixons Carphone announced this morning before the markets opened that “approximately 10 million records containing personal data may have been accessed in 2017”. This follows a previous announcement in June when they had discovered an attempt to compromise 5.9 million payment cards and that 1.2 million of its customer records had been accessed.

That would be trouble enough, but this is not the first time that Dixons Carphone has been in trouble with the UK regulator (the ICO) regarding personal data breaches. In January 2018, The Carphone Warehouse Limited was fined £400,000 by the ICO in respect of a serious data breach which occurred in 2015. At the time, this was the most that the ICO had ever fined an organisation.

It is unclear from the carefully worded press statements issued by Dixons Carphone just how, if at all, these events are connected, but if I was a shareholder of Dixons Carphone, I would be worried.

Data breaches and announcements like these suggest to consumers that this company does not take the protection of their personal data seriously. When customer phone contracts come to an end, those customers have a choice – do they stay, or jump ship to a company they feel they can trust more with their personal data?

Questions for Dixons Carphone

The facts are impossible to establish from the extremely limited information which Dixons Carphone has chosen to publish. If I was either a shareholder or a customer of Dixons Carphone, I would like answers to the following questions:

  • Did Dixons Carphone fix the security problems identified by the ICO in January 2018?
  • How many of the customers affected by the 2015 breach were also affected by the 2017 breach?
  • Both the June press release and this morning’s press release refer to an internal review and investigation. Given that the first breach occurred three years ago, what are they reviewing and why haven’t they finished yet?
  • What happened to the 105,000 customers with non-EU payment cards whose cards were compromised and which weren’t protected by chip and pin?
  • Today’s press release states that “approximately 10 million records containing personal data may have been accessed in 2017” and that “there is now evidence that some of this data may have left our systems”. Were they accessed, or weren’t they? Has it left your systems or hasn’t it? Do you know?
  • Is Dixons Carphone going to compensate the 10 million customers affected by the breach?
  • How many claims have been made against Dixons Carphone as a result of these breaches? How many do they anticipate?

What does all this mean for Dixons Carphone?

The direct result for Dixons Carphone is that they are looking at the possibility of another large fine from the ICO. The ICO has said that it is looking at whether the 1998 or 2018 Data Protection Act applies to this latest breach. If it is the latter, then Dixons Carphone are looking at a fine of up to 4% of turnover. This is in addition to any claims from their customers.

What does this mean for companies generally?

Companies have to take data protection seriously, rather than merely say that they take it seriously. Dixons Carphone have made much in their statements of retaining cybersecurity experts to plug holes in their security. This does not appear to have worked.

Companies, therefore, need to take a look at their data protection compliance and ask the question, “Are we doing everything we should be doing to protect our customers’ data? Do we truly believe in compliance, or have we just been paying lip service?”

How to avoid a data breach

Companies would be much better served by taking a step back and looking at the bigger picture. Data protection compliance is not just about hackers. Systems and security are put in place by people. Vulnerabilities in those systems are created by people. It is people that lead to data breaches, whether exploited by hackers or otherwise.

We’ve said it before and we’ll say it again: companies need to train those people. They need to build a culture which appreciates the care that staff have to take with individuals’ personal data. When people have more understanding of the risks to individuals from misuse of personal data, data breaches are less likely to happen.

Also, companies need to understand that they can’t fix compliance by simply employing “experts”. Companies have to take responsibility for their own compliance. Consultants, lawyers and IT professionals may be able to help, but the organisation itself has to ‘own’ compliance. Only the company itself truly knows what personal data it has, where it is, what it does with it, who it shares it with, how long it keeps it and what it does with it when it no longer needs it.

The Privacy Compliance Hub

The Privacy Compliance Hub enables organisations to build and maintain their data protection compliance programme without reliance on expensive (and potentially counterproductive) outside help. It provides training for staff so data breaches are less likely to happen. Trusted by companies such as Channel 4, it establishes a culture of compliance which provides peace of mind to customers, staff, management and investors.

For more information like this, stay tuned to our resources page where we will be reacting to the latest data breaches.

 

By Nigel Jones – Co-founder