back to article Dixons Carphone 'fesses to mega-breach: Probes 'attempt to compromise' 5.9m payment cards

Retailer Dixons Carphone has gone public about a hack attack involving 5.9 million payment cards and 1.2 million personal data records. In a statement (PDF), Dixons Carphone said that "unauthorised access" of data held by the company had prompted an investigation, the hiring of external security experts and efforts to shore up …

Announced so soon after GDPR becomes law. Coincidinks?

23
2

No - that's now a requirement :-)

I've no doubt they'd rather had this discovered under the old regime.

38
0

They have known about a possible data breach since last year. The company's data protection team must be staffed by morons. They could have reported the breach under the Data Protection Act and received a maximum of £500,000 fine, now they have chosen to report the breach under GDPR the fine could theoretically run into the hundreds of millions of £££. Why? Because their turnover is £10billion

7
1
Anonymous Coward

The GDPR became law in 2016. It's not *that* soon.

0
1

But implementation only occurred on the 25 of the past month.

1
0
Meh

Half a story

What I find interesting about a large number of these data breach stories is that so often there is one piece of information missing that is really useful - the period of the breach. This is not even mentioned in the press release from Dixons.

30
0
Anonymous Coward

Re: Half a story

1st line of BBC article: "It is investigating the hacking attempt, which began in July last year.".

July. 2017. Nice of them to tell everyone now.

30
0
Anonymous Coward

There's another weasel clause right there

Can you back-date a firm's data-crimes to escape GDPR fallout? CEO's / Corporate Executives like to back-date their Stock Options! GDPR still leaves lots of room for other weasel clauses:

--------------

https://www.securitynow.com/author.asp?section_id=613&doc_id=740638

3
0
Bronze badge

Re: There's another weasel clause right there

Can you back-date a firm's data-crimes to escape GDPR fallout?

One principle of laws is that civilised countries don't generally make things retrospectively illegal. I.e. outlawing the purchase of red lollipops doesn't let you arrest everyone who bought one last week.

What I'm not sure about is where reporting undisclosed breaches prior to GDPR stand, you could certainly be required to report a recent breach that occurred prior to the legislation, as not reporting it is something you would be doing now. (Not having read those requirements in detail I'd guess this is addressed.)

9
0
Silver badge
Headmaster

Re: There's another weasel clause right there

Can you back-date a firm's data-crimes to escape GDPR fallout?

I asked my company's semi-tame in-house lawyer this question this morning.

His response was that for Criminal law you will be judged and sentenced under the law that was in effect at the time of offending.

What can throw a spanner into the works though is the case law ie the interpretation of law can change and the most current interpretation is always used.

3
0

Re: Half a story

"It is investigating the hacking attempt, which began in July last year.".

But when did the breach finish?

August last year? last week? Makes a big difference

6
0

Re: There's another weasel clause right there

The lawyer is right about law not being applied retrospectively, but there is an interesting legal issue here. That of when they reported the breach. They could have reported the breach under DPA but they left it and reported it under GDPR. So which is relevant, when the breach occurred, or when they detected it, or when they reported it?

2
1
Silver badge
Thumb Down

Re: Half a story

...BBC article goes on to state

Dixons insists that it only discovered this latest hack a week ago and it has no connection with any previous incident.

So it's been going on undiscovered for 11-12 months now

2
0
Silver badge

Re: There's another weasel clause right there

"So which is relevant"

Neither. Because your question is based on a fundamental misunderstanding of breach notification rules.

0
0
Anonymous Coward

Re: A whole year.

So nice of them to tell everyone a whole year after then could have actually done anything about it and prevented any loss.

0
0
Silver badge

Re: There's another weasel clause right there

"So which is relevant, when the breach occurred, or when they detected it, or when they reported it?"

If only there were some kind of document we could consult to find such answers...Oh yes, they wrote the GDPR down so we don't have to guess.

It's only 88 pages long including <intentionally blank> bits, just read it!!

0
0
Anonymous Coward

Re: There's another weasel clause right there

Try telling that to HMRC....

1
0

Re: There's another weasel clause right there

My bet is that they were actually performing a data/systems check for GDPR (a little late) and in that process they found they had been breached last year. So now they know about the breach, they have to report it in under 72 hours. My view is that it points to the theory that they have relevant event logging, but nobody was monitoring it, or, if there was an alert, it was missed or ignored? Either way, seems like a cock-up..

0
0

Re: There's another weasel clause right there

Er....yes they do. they retrospectively changed the law on trusts to create exactly that situation, what was OK at the time subsequently wasn't

0
0
Silver badge

A fairly basic question...

Why do all these businesses store credit card details? Small businesses have a system where they let a payment provider take the details and just say yes/no. Or even if the details are gathered locally, why do they need to be stored on a customer record once the details have been transmitted to the bank and the payment authorised?

That would expose far fewer bits of critical data. Before now I've refused to develop an online shop for a customer who wanted to store CC details!

And lets face it, if they crack the bank, Worldpay or Paypal you're stuffed anyway. Getting your CC details will be the least of the problems.

39
0
Bronze badge

Re: A fairly basic question...

Because unfortunately most of us are lazy and don't want to have to enter are details every time you're ordering something. Especially annoying if you have to do it on the phone while you're secretly shopping while at work.

7
8
Silver badge

Re: A fairly basic question...

I work for private schools.

They all want to take credit cards etc. on their website, tied in with the school MIS, so that parents can pay for trips, fees, activities, uniforms, etc.

Despite working for many schools over the years, it's never ONCE resulted in anything actually in-house, because it's just such a bad idea. PCI DSS is no simple matter, especially when you want to tie into their school records (i.e. they were here X days a year, so we charge them for X activities / etc.).

Most state schools use a handful of outside providers for their equivalent (which is usually just cashless catering) and let that provider take their percentage to handle all the security.

But all the private schools I've worked in don't risk that, even if they run their own in-house MIS (which makes GDPR so much easier!). They use card machines (and ask people to visit with their card or at best take the details over the phone and type into the card machine as CNP transactions), Direct Debits, etc. or they use something like WorldPay or similar, but they don't store / process card information themselves.

I see PCI DSS as a "good thing". The fact that it discourages people from running their own databases like this is exactly what you want. Unless you have the confidence and evidence that you are able to store this data in the correct manner (and Dixons don't seem to have done a bad job - no CVV, no link to personal data/address, etc. just means a big list of mostly-useless numbers), then you shouldn't be doing so.

And, yes, we do get targeted. We literally get targeted, faked, convincing email pretending to be the bursar (down to first-name familiarity and copying their style) to the finance department asking to pay something urgently, or we get fake "new bank details" for existing companies and when we phone up to confirm are told that they haven't changed their bank details, and phone calls from the scammers to follow up on them. I have reported several to various cybercrime reporting sites linked to the police.

But just having a good process is good enough to stop those kinds of things ("New bank details"? Okay, I'm going to ring your head office details that I have on your previous invoices on another line to confirm that).

However, I can't imagine the carnage if such a place was to store credit card details protected only by the diligence of basic finance staff in an over-worked office. And then consider, that actually the more valuable information is probably in the school MIS anyway. Almost every private school I've worked at holds the details of at least one celebrity, including child's names, real address (not just agent), where they summer, what their mobile phones are, ***who is allowed to pick them up and when***, and potentially lots of personal data (e.g. divorced couples spats with the school, etc.). Before you even get into credit card numbers.

And it's not just celebrities. If you've ever worked for a private school, you'd be aware of who the army brats are, and I can damn well guarantee you one of them has an "anonymised" profile for a reason. But the real information will still be in the database somewhere.

32
0
Silver badge

Re: Why do businesses store credit cards

Because unfortunately most of us are lazy and don't want to have to enter our details every time you're ordering something.

Even then, if done properly, there is no need to store the full card details anywhere on the system.

Instead, you store an authentication token from whichever payment gateway provider you use (Verifone, World Pay, All Pay etc) which is generated on the first purchase. This authentication token is unique to the user's card and CVV, and can therefore be used for subsequent purchases.

You would typically store the last four digits of the card, simply to be able to present it visually to the user in their account details on your site, so they can identify the card, but it isn't used for transactions.

The CVV should never, ever be stored.

12
1
Silver badge

Re: A fairly basic question...

I can think of a few cases...

They want CCs someone wrote some shitty payment system for their website and they don't want to bugger about with trying to tie to a proper payment vendor.

A payment vendor will charge a management fee to handle the transaction and places like "CackPhone Whorehouse" don't want to pay the fees and would rather put your info at risk.

The want the CC data in case you spend money at another company under control of their parent conpany, then they can tie all that juicy data together without having to a)wait for another data breach release on the black market or b) having to pay some shyster to hack Facebook accounts for your toilet habits!!

3
8

Re: A fairly basic question...

'Would you like to create an account to make your shopping experience easier next time?'

Right up until we lose it.

11 months is a long time, have they just been holed up in The Winchester hoping it will all blow over? And really not quite sure how they can be so certain that nothing has happened with those details in all that time?

4
0
Anonymous Coward

Re: Why do businesses store credit cards

Simply because they were allowed to, and still without real penalty for when the data gets "leaked"

Since the trade in personal information was also not restricted then the "leak" that does get reported is not necessarily the first nor the last.

2
0
Anonymous Coward

Re: A fairly basic question...

"where they summer"

Holy fuck now I know for sure I'm one of the little people.

9
0

Re: A fairly basic question...

"Why do all these businesses store credit card details?"

These are very high numbers for people who elect to have their cards saved when making an online burchase from DSG. Looks more like DSG have logged every purchase.

Given I've bought stuff in-shop and online but not stored - have my details been leaked or not? I await some correspondence from DSG with interest.

0
0

Re: A fairly basic question...

If the data was unencrypted then they HAVE done a bad job.

4
0
Silver badge

Re: Why do businesses store credit cards

"Instead, you store an authentication token from whichever payment gateway provider you use"

And then, unfortunately, you're locked in to that payment provider forever.

1
0
Anonymous Coward

Re: Refunds

By law the payment system has to be able to put a refund back on that card. Why it is stored in house and not in the payment system is the real question. Or why it is stored for future automated payments or quick checkouts is the other.

But the storage needs to be there for the refund system as far as I know.

0
0
Anonymous Coward

Re: Why do businesses store credit cards

I bought a phone from CPW in January, with a UK card not used elsewhere, Monday get a call to tell me it's been fraudulently used to buy Tesco mobile stuff and viagogo tickets to the value of about a grand.

I suspect Dixons only found out about this fraud because the credit card companys that were seeing fraud linked them..

It also seems to be untrue that CVV data wasn't accessed...

4
0
Silver badge

Re: Refunds

"By law"

It's not by law. By contractual arrangement probably.

No reason why a refund couldn't be associated with a transaction rather than a card, after all chargebacks are, but, yes, it does seem to need the card.

0
0
Anonymous Coward

How can it be accessed without leaving their systems in those volumes? Do you not need to read the record to leave an access in the log.? This announcement seems strangely worded to me but that's probably something to do with GDPR.

1
0
Silver badge

"This announcement seems strangely worded"

It's just the usual "poor, injured, innocent us, hacked after all the care we take to look after your data" line.

19
0
Mushroom

"We are extremely disappointed and sorry for any upset this may cause."

<gah>

What is it about corporate statements?

Instead of "We got compromised and we're sorry we let that happen.", we get that. There's this continual thing in corporate communications where they're "sorry" that an event occurred and they're "sorry" about any inconvenience caused, but why do they word things in such a way that almost distances them from taking any ownership, like "Sorry. We fucked up" ?

Again.

</gah>

M.

22
0
Silver badge

Re: "We are extremely disappointed and sorry for any upset this may cause."

"why do they word things in such a way that almost distances them from taking any ownership"

Because anything they say could be taken down and used in court against them.

8
0
Anonymous Coward

'why do they word things in such a way that almost distances them from taking any ownership'

... Accountability.... That's why Zuk lied to lawmakers for 11 hours straight... Until more firms start taking a 300m FedEx / Maersk like hit to their bottom line, losing your details is just the cost of doing business! As to why firms keep storing card details instead of purging them? ... Billing convenience. So they can always bill you, no matter what, without risk of mistake from repeated entry.

7
1
Silver badge

"Treating all communications with suspicion for the next few months ever is probably a good idea, especially in situations where any form of login details are required."

FTFH

12
0
Gold badge
Unhappy

Especially if it's a communication from PC World!

Did you see that scam advert for gold plated HDMI cables at £100, that give you a better picture. Who'd believe that shit? Oh hang on, that was genuine wasn't it. I overheard the guy in the shop selling the damned things.

7
0
Silver badge

Oh, please... a mere 100 GBP? A pitance. Here in Deepest South Florida, at my local Best Buy they have $300 to $400 HDMI cables _in stock_ and can special order $600-700 cables. My fav Best Buy HDMI cable, the $1095 one, doesn’t seem to be available any more. Or maybe they’re just too embarrassed to admit that it ever existed.

I go to Best Buy mostly to get a laugh, those boys are living in a world all their own.

5
0
Gold badge

I'll happily pay $1,000 for an HDMI cable. So long as it carries the signal, cooks my dinner and makes the tea, while I'm watching telly.

Otherwise the only use it would get is to stangle the person that tries to sell it to me.

0
0
Silver badge

Information was accessed but hasn't left their systems?

If it's been accessed, then that's how it left your system.

18
1
Silver badge

Re: Information was accessed but hasn't left their systems?

It probably means they've found malware on the system, but have no evidence its recognised its hit the mother lode and started exfiltrating data.

1
0
Silver badge

Re: Information was accessed but hasn't left their systems?

It's completely meaningless. What does "leaving the system mean"? Erased? nobody thinks that's happened. Transmitted to another party - of course, that's what "accessed" means. Unless the hacker was reading the HDD with a compass needle!

3
0
Silver badge

Me feeling happy ...

that when I last bought something at Dixons that I refused to give my email address when the checkout operator insisted that I had to ... I think that he either entered his own address or invented something bogus.

7
0

Useful fallbacks

postmaster@example.com always works. Me@127.0.0.1 is also worth trying.

7
0
Silver badge

Re: Me feeling happy ...

"Sure, mysteryshopper001@mydomain.com".

It would be entirely valid if they did bother to send it, because my domain has as many addresses as I want.

But having a domain means I can literally make up any nonsense and block it if they do ever spam it / lose it.

9
0
Silver badge

Re: Me feeling happy ...

"that when I last bought something at Dixons that I refused to give my email address when the checkout operator insisted that I had to ... I think that he either entered his own address or invented something bogus."

I've had this several times, the most recent was at a Jurys Inn where they said I had to give an email. I asked them why, and she said they needed it incase they had to contact me while I stayed in the hotel. So I told her I'm in my room all night to sleep, so if you need me knock on the door. You know what room I'm in.

Halfrauds are also trying to do this email collection thing, so I can get an emailed copy of my receipt. No mate, paper is good enough.

18
1
Silver badge

Re: Me feeling happy ...

But having a domain means I can literally make up any nonsense and block it if they do ever spam it / lose it.

I do that as well - for the instances where they, reasonably, do need an email address. Running my own MTA means that I can reply to their email and the only address that they ever see is their-name@email.my-domain. Such configuration is one of the nice things about running MUA/MTA mutt/exim together.

3
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018