Currys PC World Data Breach

Currys PC World is the latest in a long line of corporations to suffer a large-scale data breach, but the positive news to take from the story is the swiftness and clarity of their response. One of our colleagues, as a Currys PC World customer, received an email explaining the loss of data, what was involved, and what he should do to protect himself from fraud.

The message was comprehensive and apologetic – and suggests that British businesses are finally learning how to respond to these kinds of cyber crimes.

The recent news from Currys PC World came in two waves; at first, they believed that 1.2 million customers were affected, although no payment card information was involved. Several weeks later the electronics giant had to report that the scale of the problem was far larger. After an internal investigation they put the number of customers affected at 10 million.

Currys PC World reports that none of their customers has been directly defrauded in the immediate aftermath of the data breach. But we know from previous hacks that customer data is rarely used in isolation; instead, this kind of information is used as bait in phishing attacks. With customer data in their hands, fraudsters can dupe people into handing over more information which then gives them access to bank accounts, payment cards and online stores.

So, the true impact of this kind of data breach is unlikely to be immediately obvious – and people who are defrauded six or nine months from now may never know that their loss originated with lax security at Currys PC World.

Alex Neill of Which? commented on the incident: “Dixons Carphone customers will be alarmed to hear about this massive data breach and will be asking why it has taken so long for the company to uncover the extent of its security failure. It is now critical that the company moves quickly to ensure those affected get clear information about what has happened and what steps they should take to protect themselves.”

The letter from Currys PC World is commendably clear and direct: “Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017. This unauthorised access to data may include personal information such as name, address, phone number, date of birth and email address.”

Currys PC World also laid out clear guidance for their customers on how to minimise the risk of fraud:

  • If you receive an unsolicited email, letter, text or phone call asking for personal information, never reveal any full passwords, login details or account numbers until you are certain of the identity of the person making the request. Please do not click on any links you do not recognise.
  • If you think you have been a victim of fraud you should report it to Action Fraud, the UK’s national fraud and internet crime reporting centre, on 0300 123 2040*.
  • We also recommend that people are vigilant against any suspicious activity on their bank accounts and contact their financial provider if they have concerns.

Although the value of Currys PC World shares fell after news of the initial data breach was revealed, markets reacted less extremely to the second wave of news, with shares actually rising slightly. This may reflect a degree of breach fatigue – or a belief that the high street’s last electronics retailer has already paid the price for its security failure.

Are data breaches an inevitable part of a society that lives and trades online? Or will businesses eventually find systems and processes to outfox the data bandits?

Worried about data breaches? Find out more about Data Protection eLearning from VinciWorks.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.