back to article Dixons Carphone 'fesses to mega-breach: Probes 'attempt to compromise' 5.9m payment cards

Retailer Dixons Carphone has gone public about a hack attack involving 5.9 million payment cards and 1.2 million personal data records. In a statement (PDF), Dixons Carphone said that "unauthorised access" of data held by the company had prompted an investigation, the hiring of external security experts and efforts to shore up …

  1. Blockchain commentard Silver badge

    Announced so soon after GDPR becomes law. Coincidinks?

    1. RAMstein

      No - that's now a requirement :-)

      I've no doubt they'd rather had this discovered under the old regime.

    2. TkH11

      They have known about a possible data breach since last year. The company's data protection team must be staffed by morons. They could have reported the breach under the Data Protection Act and received a maximum of £500,000 fine, now they have chosen to report the breach under GDPR the fine could theoretically run into the hundreds of millions of £££. Why? Because their turnover is £10billion

    3. Anonymous Coward
      Anonymous Coward

      The GDPR became law in 2016. It's not *that* soon.

      1. Netbofia

        But implementation only occurred on the 25 of the past month.

  2. taxman
    Meh

    Half a story

    What I find interesting about a large number of these data breach stories is that so often there is one piece of information missing that is really useful - the period of the breach. This is not even mentioned in the press release from Dixons.

    1. Anonymous Coward
      Anonymous Coward

      Re: Half a story

      1st line of BBC article: "It is investigating the hacking attempt, which began in July last year.".

      July. 2017. Nice of them to tell everyone now.

      1. David Adams

        Re: Half a story

        "It is investigating the hacking attempt, which began in July last year.".

        But when did the breach finish?

        August last year? last week? Makes a big difference

      2. Fruit and Nutcase Silver badge
        Thumb Down

        Re: Half a story

        ...BBC article goes on to state

        Dixons insists that it only discovered this latest hack a week ago and it has no connection with any previous incident.

        So it's been going on undiscovered for 11-12 months now

      3. Anonymous Coward
        Anonymous Coward

        Re: A whole year.

        So nice of them to tell everyone a whole year after then could have actually done anything about it and prevented any loss.

    2. Anonymous Coward
      Anonymous Coward

      There's another weasel clause right there

      Can you back-date a firm's data-crimes to escape GDPR fallout? CEO's / Corporate Executives like to back-date their Stock Options! GDPR still leaves lots of room for other weasel clauses:

      --------------

      https://www.securitynow.com/author.asp?section_id=613&doc_id=740638

      1. ibmalone Silver badge

        Re: There's another weasel clause right there

        Can you back-date a firm's data-crimes to escape GDPR fallout?

        One principle of laws is that civilised countries don't generally make things retrospectively illegal. I.e. outlawing the purchase of red lollipops doesn't let you arrest everyone who bought one last week.

        What I'm not sure about is where reporting undisclosed breaches prior to GDPR stand, you could certainly be required to report a recent breach that occurred prior to the legislation, as not reporting it is something you would be doing now. (Not having read those requirements in detail I'd guess this is addressed.)

        1. }{amis}{ Silver badge
          Headmaster

          Re: There's another weasel clause right there

          Can you back-date a firm's data-crimes to escape GDPR fallout?

          I asked my company's semi-tame in-house lawyer this question this morning.

          His response was that for Criminal law you will be judged and sentenced under the law that was in effect at the time of offending.

          What can throw a spanner into the works though is the case law ie the interpretation of law can change and the most current interpretation is always used.

          1. TkH11

            Re: There's another weasel clause right there

            The lawyer is right about law not being applied retrospectively, but there is an interesting legal issue here. That of when they reported the breach. They could have reported the breach under DPA but they left it and reported it under GDPR. So which is relevant, when the breach occurred, or when they detected it, or when they reported it?

            1. Adam 52 Silver badge

              Re: There's another weasel clause right there

              "So which is relevant"

              Neither. Because your question is based on a fundamental misunderstanding of breach notification rules.

            2. Lusty Silver badge

              Re: There's another weasel clause right there

              "So which is relevant, when the breach occurred, or when they detected it, or when they reported it?"

              If only there were some kind of document we could consult to find such answers...Oh yes, they wrote the GDPR down so we don't have to guess.

              It's only 88 pages long including <intentionally blank> bits, just read it!!

            3. Andy Humphreys

              Re: There's another weasel clause right there

              My bet is that they were actually performing a data/systems check for GDPR (a little late) and in that process they found they had been breached last year. So now they know about the breach, they have to report it in under 72 hours. My view is that it points to the theory that they have relevant event logging, but nobody was monitoring it, or, if there was an alert, it was missed or ignored? Either way, seems like a cock-up..

        2. Anonymous Coward
          Anonymous Coward

          Re: There's another weasel clause right there

          Try telling that to HMRC....

        3. SME Integrator

          Re: There's another weasel clause right there

          Er....yes they do. they retrospectively changed the law on trusts to create exactly that situation, what was OK at the time subsequently wasn't

  3. Pen-y-gors Silver badge

    A fairly basic question...

    Why do all these businesses store credit card details? Small businesses have a system where they let a payment provider take the details and just say yes/no. Or even if the details are gathered locally, why do they need to be stored on a customer record once the details have been transmitted to the bank and the payment authorised?

    That would expose far fewer bits of critical data. Before now I've refused to develop an online shop for a customer who wanted to store CC details!

    And lets face it, if they crack the bank, Worldpay or Paypal you're stuffed anyway. Getting your CC details will be the least of the problems.

    1. steviebuk Silver badge

      Re: A fairly basic question...

      Because unfortunately most of us are lazy and don't want to have to enter are details every time you're ordering something. Especially annoying if you have to do it on the phone while you're secretly shopping while at work.

      1. Alister Silver badge

        Re: Why do businesses store credit cards

        Because unfortunately most of us are lazy and don't want to have to enter our details every time you're ordering something.

        Even then, if done properly, there is no need to store the full card details anywhere on the system.

        Instead, you store an authentication token from whichever payment gateway provider you use (Verifone, World Pay, All Pay etc) which is generated on the first purchase. This authentication token is unique to the user's card and CVV, and can therefore be used for subsequent purchases.

        You would typically store the last four digits of the card, simply to be able to present it visually to the user in their account details on your site, so they can identify the card, but it isn't used for transactions.

        The CVV should never, ever be stored.

        1. Anonymous Coward
          Anonymous Coward

          Re: Why do businesses store credit cards

          Simply because they were allowed to, and still without real penalty for when the data gets "leaked"

          Since the trade in personal information was also not restricted then the "leak" that does get reported is not necessarily the first nor the last.

          1. Anonymous Coward
            Anonymous Coward

            Re: Why do businesses store credit cards

            I bought a phone from CPW in January, with a UK card not used elsewhere, Monday get a call to tell me it's been fraudulently used to buy Tesco mobile stuff and viagogo tickets to the value of about a grand.

            I suspect Dixons only found out about this fraud because the credit card companys that were seeing fraud linked them..

            It also seems to be untrue that CVV data wasn't accessed...

        2. Adam 52 Silver badge

          Re: Why do businesses store credit cards

          "Instead, you store an authentication token from whichever payment gateway provider you use"

          And then, unfortunately, you're locked in to that payment provider forever.

          1. Anonymous Coward
            Anonymous Coward

            Re: Refunds

            By law the payment system has to be able to put a refund back on that card. Why it is stored in house and not in the payment system is the real question. Or why it is stored for future automated payments or quick checkouts is the other.

            But the storage needs to be there for the refund system as far as I know.

            1. Adam 52 Silver badge

              Re: Refunds

              "By law"

              It's not by law. By contractual arrangement probably.

              No reason why a refund couldn't be associated with a transaction rather than a card, after all chargebacks are, but, yes, it does seem to need the card.

    2. Lee D Silver badge

      Re: A fairly basic question...

      I work for private schools.

      They all want to take credit cards etc. on their website, tied in with the school MIS, so that parents can pay for trips, fees, activities, uniforms, etc.

      Despite working for many schools over the years, it's never ONCE resulted in anything actually in-house, because it's just such a bad idea. PCI DSS is no simple matter, especially when you want to tie into their school records (i.e. they were here X days a year, so we charge them for X activities / etc.).

      Most state schools use a handful of outside providers for their equivalent (which is usually just cashless catering) and let that provider take their percentage to handle all the security.

      But all the private schools I've worked in don't risk that, even if they run their own in-house MIS (which makes GDPR so much easier!). They use card machines (and ask people to visit with their card or at best take the details over the phone and type into the card machine as CNP transactions), Direct Debits, etc. or they use something like WorldPay or similar, but they don't store / process card information themselves.

      I see PCI DSS as a "good thing". The fact that it discourages people from running their own databases like this is exactly what you want. Unless you have the confidence and evidence that you are able to store this data in the correct manner (and Dixons don't seem to have done a bad job - no CVV, no link to personal data/address, etc. just means a big list of mostly-useless numbers), then you shouldn't be doing so.

      And, yes, we do get targeted. We literally get targeted, faked, convincing email pretending to be the bursar (down to first-name familiarity and copying their style) to the finance department asking to pay something urgently, or we get fake "new bank details" for existing companies and when we phone up to confirm are told that they haven't changed their bank details, and phone calls from the scammers to follow up on them. I have reported several to various cybercrime reporting sites linked to the police.

      But just having a good process is good enough to stop those kinds of things ("New bank details"? Okay, I'm going to ring your head office details that I have on your previous invoices on another line to confirm that).

      However, I can't imagine the carnage if such a place was to store credit card details protected only by the diligence of basic finance staff in an over-worked office. And then consider, that actually the more valuable information is probably in the school MIS anyway. Almost every private school I've worked at holds the details of at least one celebrity, including child's names, real address (not just agent), where they summer, what their mobile phones are, ***who is allowed to pick them up and when***, and potentially lots of personal data (e.g. divorced couples spats with the school, etc.). Before you even get into credit card numbers.

      And it's not just celebrities. If you've ever worked for a private school, you'd be aware of who the army brats are, and I can damn well guarantee you one of them has an "anonymised" profile for a reason. But the real information will still be in the database somewhere.

      1. Anonymous Coward
        Anonymous Coward

        Re: A fairly basic question...

        "where they summer"

        Holy fuck now I know for sure I'm one of the little people.

      2. TkH11

        Re: A fairly basic question...

        If the data was unencrypted then they HAVE done a bad job.

    3. FuzzyWuzzys Silver badge

      Re: A fairly basic question...

      I can think of a few cases...

      They want CCs someone wrote some shitty payment system for their website and they don't want to bugger about with trying to tie to a proper payment vendor.

      A payment vendor will charge a management fee to handle the transaction and places like "CackPhone Whorehouse" don't want to pay the fees and would rather put your info at risk.

      The want the CC data in case you spend money at another company under control of their parent conpany, then they can tie all that juicy data together without having to a)wait for another data breach release on the black market or b) having to pay some shyster to hack Facebook accounts for your toilet habits!!

    4. Moog42

      Re: A fairly basic question...

      'Would you like to create an account to make your shopping experience easier next time?'

      Right up until we lose it.

      11 months is a long time, have they just been holed up in The Winchester hoping it will all blow over? And really not quite sure how they can be so certain that nothing has happened with those details in all that time?

    5. Stuart 22

      Re: A fairly basic question...

      "Why do all these businesses store credit card details?"

      These are very high numbers for people who elect to have their cards saved when making an online burchase from DSG. Looks more like DSG have logged every purchase.

      Given I've bought stuff in-shop and online but not stored - have my details been leaked or not? I await some correspondence from DSG with interest.

  4. Anonymous Coward
    Anonymous Coward

    How can it be accessed without leaving their systems in those volumes? Do you not need to read the record to leave an access in the log.? This announcement seems strangely worded to me but that's probably something to do with GDPR.

    1. Doctor Syntax Silver badge

      "This announcement seems strangely worded"

      It's just the usual "poor, injured, innocent us, hacked after all the care we take to look after your data" line.

  5. mrdalliard
    Mushroom

    "We are extremely disappointed and sorry for any upset this may cause."

    <gah>

    What is it about corporate statements?

    Instead of "We got compromised and we're sorry we let that happen.", we get that. There's this continual thing in corporate communications where they're "sorry" that an event occurred and they're "sorry" about any inconvenience caused, but why do they word things in such a way that almost distances them from taking any ownership, like "Sorry. We fucked up" ?

    Again.

    </gah>

    M.

    1. Doctor Syntax Silver badge

      Re: "We are extremely disappointed and sorry for any upset this may cause."

      "why do they word things in such a way that almost distances them from taking any ownership"

      Because anything they say could be taken down and used in court against them.

    2. Anonymous Coward
      Anonymous Coward

      'why do they word things in such a way that almost distances them from taking any ownership'

      ... Accountability.... That's why Zuk lied to lawmakers for 11 hours straight... Until more firms start taking a 300m FedEx / Maersk like hit to their bottom line, losing your details is just the cost of doing business! As to why firms keep storing card details instead of purging them? ... Billing convenience. So they can always bill you, no matter what, without risk of mistake from repeated entry.

  6. Doctor Syntax Silver badge

    "Treating all communications with suspicion for the next few months ever is probably a good idea, especially in situations where any form of login details are required."

    FTFH

    1. I ain't Spartacus Gold badge
      Unhappy

      Especially if it's a communication from PC World!

      Did you see that scam advert for gold plated HDMI cables at £100, that give you a better picture. Who'd believe that shit? Oh hang on, that was genuine wasn't it. I overheard the guy in the shop selling the damned things.

      1. James O'Shea Silver badge

        Oh, please... a mere 100 GBP? A pitance. Here in Deepest South Florida, at my local Best Buy they have $300 to $400 HDMI cables _in stock_ and can special order $600-700 cables. My fav Best Buy HDMI cable, the $1095 one, doesn’t seem to be available any more. Or maybe they’re just too embarrassed to admit that it ever existed.

        I go to Best Buy mostly to get a laugh, those boys are living in a world all their own.

        1. I ain't Spartacus Gold badge

          I'll happily pay $1,000 for an HDMI cable. So long as it carries the signal, cooks my dinner and makes the tea, while I'm watching telly.

          Otherwise the only use it would get is to stangle the person that tries to sell it to me.

  7. Crisp Silver badge

    Information was accessed but hasn't left their systems?

    If it's been accessed, then that's how it left your system.

    1. Brewster's Angle Grinder Silver badge

      Re: Information was accessed but hasn't left their systems?

      It probably means they've found malware on the system, but have no evidence its recognised its hit the mother lode and started exfiltrating data.

    2. David Nash Silver badge

      Re: Information was accessed but hasn't left their systems?

      It's completely meaningless. What does "leaving the system mean"? Erased? nobody thinks that's happened. Transmitted to another party - of course, that's what "accessed" means. Unless the hacker was reading the HDD with a compass needle!

  8. alain williams Silver badge

    Me feeling happy ...

    that when I last bought something at Dixons that I refused to give my email address when the checkout operator insisted that I had to ... I think that he either entered his own address or invented something bogus.

    1. Robert Sneddon

      Useful fallbacks

      postmaster@example.com always works. Me@127.0.0.1 is also worth trying.

      1. stiine Bronze badge
        Devil

        Re: Useful fallbacks

        I always use anon@y.mo.us I don't think I've had any sites reject that email address.

      2. Threlkeld

        Re: Useful fallbacks

        spamgourmet.com

      3. Dr Dan Holdsworth Silver badge

        Re: Useful fallbacks

        root@warez.bofh.org.uk is always a good one. That particular domain registration thing was done several times in the past for comic effect, but warez.bofh.org.uk is the only one left that I know of.

    2. Lee D Silver badge

      Re: Me feeling happy ...

      "Sure, mysteryshopper001@mydomain.com".

      It would be entirely valid if they did bother to send it, because my domain has as many addresses as I want.

      But having a domain means I can literally make up any nonsense and block it if they do ever spam it / lose it.

      1. alain williams Silver badge

        Re: Me feeling happy ...

        But having a domain means I can literally make up any nonsense and block it if they do ever spam it / lose it.

        I do that as well - for the instances where they, reasonably, do need an email address. Running my own MTA means that I can reply to their email and the only address that they ever see is their-name@email.my-domain. Such configuration is one of the nice things about running MUA/MTA mutt/exim together.

        1. Lee D Silver badge

          Re: Me feeling happy ...

          "I do that as well - for the instances where they, reasonably, do need an email address. Running my own MTA means"

          Well, technically, I do run my own MTA. The fact that almost all the email that I *WANT* to receive ends up in a bog-standard commercial webmail account is neither here nor there (and anything addressed direct to that account only that didn't come from my MTA? Spam).

          The fact is that I can switch it out any time I like to ANY destination, I can give people addresses (e.g. myfriend@mydomain.com, which forwards to his weird ISP-specific email), and I can filter at a level above what those providers do (e.g. all my email is greylisted for 5 minutes, etc. all the "misused" addresses go straight to the bin, and I can do tricks like "this is a valid email because it fits my rules on how many vowels each of my emails should have / what the number in the email should checksum to" so that even being able to make up emails doesn't give OTHER PEOPLE the ability to just make them up and spam me - I get a surprising amount of usernameusername@mydomain.com and even partial /corrupted usernames where the database obviously didn't line up correctly in their mailshot).

          But once set up, the personal effect is "log into my normal webmail, have no spam, can tell if an email was GENUINELY from paypal in seconds because only paypal know what the paypal address they have this year actually is".

      2. Pascal Monett Silver badge

        Re: my domain has as many addresses as I want

        Same here. I've set up a special account for that kind of situation : spam@mydomain.net

        I use that in response to any question and for online subscriptions that I do not intend to follow but have to sign up to get what I'm looking for.

        Needless to say : all mail going into that account is immediately trashed.

        1. BlinkenLights

          Re: my domain has as many addresses as I want

          I use company@mydomain.net, e.g. register@mydomain.net, or dixons@mydomain.net. Then if I get spam to a particular address I know who to blame.

      3. julian.smith

        Re: Me feeling happy ...

        I have my own domain

        I give each "requester" their own email address composed from their domain [theregister@mydomain.com]

        From then on it's trivial to identify "requesters" who have been compromised - their emails are also usually flagged by my provider's spam detection software and:

        - cease dealing with them

        - blacklist any email using the compromised details

        Easy peasy

    3. wolfetone Silver badge

      Re: Me feeling happy ...

      "that when I last bought something at Dixons that I refused to give my email address when the checkout operator insisted that I had to ... I think that he either entered his own address or invented something bogus."

      I've had this several times, the most recent was at a Jurys Inn where they said I had to give an email. I asked them why, and she said they needed it incase they had to contact me while I stayed in the hotel. So I told her I'm in my room all night to sleep, so if you need me knock on the door. You know what room I'm in.

      Halfrauds are also trying to do this email collection thing, so I can get an emailed copy of my receipt. No mate, paper is good enough.

      1. JimboSmith Silver badge

        Re: Me feeling happy ...

        I've had this several times, the most recent was at a Jurys Inn where they said I had to give an email. I asked them why, and she said they needed it incase they had to contact me while I stayed in the hotel. So I told her I'm in my room all night to sleep, so if you need me knock on the door. You know what room I'm in.

        I own my own domain too and give out unique email addresses to individual companies that ask for one and that I deem worthy. I made a stay at a hotel in the UAE who did need my email because there was an issue that remained unresolved as we were checking out. I made damn certain that I indicated that I did not want to be contacted by third parties or have my details sold. I received an email from some business in the same country to that address and I was unimpressed. Called the hotel and spoke to the switchboard and had a nice girl there explain that whilst I might think that I'd received it because it was from the same country it probably wasn't anything to do with the hotel.

        Her: "Loads of people have your email address right?"

        Me: "No only you have that particular address"

        Her: "We wouldn't pass on your details if you told us not to. Are you sure?"

        Me: "Yes because the email address is yourhotelchain@mydomainname.com, it is unique to you and I haven't given it to anyone else because I've never stayed at your chain before!" (and won't again after this).

        Her: "Oh, I'm not sure who to transfer your call to."

        Me: "Well as I made sure I told you I don't want any contact from you and I've been sent something maybe your head of (IT) data security?"

        Her: "I'm not sure I know who that is, why them?"

        Me: "Because if you really haven't sold/passed on my details then I would suspect you've got a problem somewhere with your computers/data."

        Her: "I think all the IT people have gone home can you call back tomorrow?"

  9. anthonyhegedus Silver badge

    Heart of our business?

    "The protection of our data has to be at the heart of our business"? Who do they think they're fucking kidding!? At the heart of their business is conning people into buying shit they don't need when they buy a laptop, such as the laptop itself, norton virus, ms office etc. and persuading people to buy an insurance policy that costs half as much as the original item. Also right in the fucking dead centre of their business is refusing to honour said warranties and refusing to refund for faulty items. There Dixons Carphone Group - fixed that for you.

  10. Anonymous Coward
    Anonymous Coward

    Yet another Charles Dungstone data breach, you would have thought he might have learnt by now but evidence points to the contrary. The only way to teach him is by fining him personally.

    1. Anonymous Coward
      Anonymous Coward

      The only way to teach him is by fining him personally.

      He's got so much money any feasible fine wouldn't hurt. I say strap the pudgy faced public schoolboy into a device with his legs apart, and administer a public kick to the bollocks for each item of data lost. Obviously that's a lot of kicks, so each individual whose data was lost would have the right to place their own kick, or to "kick by proxy", nominating somebody like Johnny Wilkinson to do it for them. Mr Wilkinson's fee could be stuffed to Dunstone.

  11. Pat 11

    Timing is interesting for me

    I had two spear phishing phone calls last week, never happened before. Knew my name and address, avoided saying who they were, tried to get me to confirm my ID.

    How can we find out if we were pwned?

    1. stiine Bronze badge
      Meh

      Re: Timing is interesting for me

      I'm not sure, Pat, what's your number?

      1. Killfalcon Silver badge

        Re: Timing is interesting for me

        There are a small but annoying number of genuine corporate callers who are so paranoid about data breaches they don't identify themselves until you pass their DPA checks.

        Theory is that if they have the wrong number, they don't reveal that you have an account with who-ever they are. It's painful to deal with, and teaches people to give up their personal details to unidentified callers.

        1. Pat 11

          Re: Timing is interesting for me

          I take the view that any phone call, email, text, IM etc is utterly ignorable. If I'm wrong and it's important, they'll keep trying and find a better way to reach me, ideally by a hand-written letter.

          I've always felt phone calls are very one-sided arrangements; one person somewhere else decides it's time for me to have a conversation with them. Very often they are wrong.

          I am Ron Swanson.

        2. John H Woods Silver badge

          Re: Timing is interesting for me

          Them: "Can I get some security information before we proceed?"

          Me: "Can I ask you a question first?"

          Them: "Well ..."

          Me: "If I did have an account with you, what would be your advice about sharing security information with unknown people?"

          They: "Oh, you should never do that"

          Me: "Thought so. Goodbye"

    2. Aqua Marina

      How do I find out if i’ve been pwned?

      https://haveibeenpwned.com/

  12. adam payne Silver badge

    Our investigation is ongoing and currently indicates that there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores

    Why are you storing card details?

    "We are extremely disappointed and sorry for any upset this may cause,"

    We are extremely disappointed in your company too.

    The one question is why did it take you so long to announce the breach? Did you just forget?

  13. Anonymous South African Coward Silver badge
    Facepalm

    How did the ne'er-do-wells manage to gain entry in order to milk the data?

    My reasoning - if the system is properly secured at the perimeter, then only three ways -

    1. Email with malware attachment

    2. Disgruntled employee

    3. Bad field technician

    1. stiine Bronze badge

      Front door of building? They're unlocked most of the time.

    2. Anonymous Coward
      Anonymous Coward

      I can think of a half dozen other ways

      starting with their online shop but most breaches are staff or former staff related.

    3. Outer mongolian custard monster from outer space (honest)

      Define properly secured at the perimeter. And bear in mind I was reading a paper today about how to bypass the akamai waf during a exploitation (I'm a offensive security bod before the mob tries to lynch me). The point being, that info is freely available on the net if you know where to research and both sides of the game have it. If you've evaded the waf, your attack will look like normal web traffic anyway if you get it to dump out via the same web server as a response unless you set off a sensor getting it to throw a reverse shell via a port or similar.

    4. Anonymous Coward
      Anonymous Coward

      How did the ne'er-do-wells manage to gain entry in order to milk the data?

      How does any director gain access to the building he works at? We should consider that the attackers were doing what they do best, finding a weakness and preying on it. As such we should consider that they might qualify as "professionals". Dixonscarphonedoghouse on the other hand were screwing up as usual, so the term "ne'er-do-wells" is probably best applied to their bungling management.

  14. dbgi

    Perhaps I need a forwarding email address for every shop

    As an interesting long term experiment, it would be good to setup a forwarding email address for every shop that insists an email address. e.g. Mountain Warehouse, Go Outdoors, PC World, etc.

    Then when I get some of those spam emails or emails appearing on pwned, I know where the leak came from.

    1. Anonymous Coward
      Anonymous Coward

      Re: Perhaps I need a forwarding email address for every shop

      If you have a... yes, Yahoo email address you can set up disposable addresses based on a common id, for example, your common id is abcdef, so an email address would be dixons-abcdef@yahoo.whatever. You can then set that address (up to 100) for each place you shop at then drop it once comprimised.... I did the above several years ago and only have about 10 left now our of the 40 or so I ended up creating. I does take some patience though.

      1. anthonyhegedus Silver badge

        Re: Perhaps I need a forwarding email address for every shop

        Aren't yahoo accounts compromised on creation?

    2. John H Woods Silver badge

      Re: Perhaps I need a forwarding email address for every shop

      A lot of web forms incorrectly reject it but a "plus form" address (RFC2822) is what you are looking for.

      yourname+anythingyoulike@yourdomain.com will be delivered to yourname@yourdomain; but you can still see the originally used recipient name, so when you get spam/phishing to, for instance, yourname+CW@yourdomain you know who leaked it.

      1. Mike Richards Silver badge

        Re: Perhaps I need a forwarding email address for every shop

        Did not know about that - thanks!

      2. Cynic_999 Silver badge

        Re: Perhaps I need a forwarding email address for every shop

        "

        A lot of web forms incorrectly reject it but a "plus form" address (RFC2822) is what you are looking for.

        "

        Doesn't seem to work on either my company email address or my gmail address. :-(

        1. Adam 52 Silver badge

          Re: Perhaps I need a forwarding email address for every shop

          Should definitely work at Gmail, it's explicitly mentioned in the documentation.

          Not foolproof though, we had to scrub the plus suffix from a load of addresses when migrating them to a new CRM that had broken email address parsing.

      3. dave 76

        Re: Perhaps I need a forwarding email address for every shop

        "yourname+anythingyoulike@yourdomain.com will be delivered to yourname@yourdomain; but you can still see the originally used recipient name, so when you get spam/phishing to, for instance, yourname+CW@yourdomain you know who leaked it."

        Except that is so well known that I would expect any malicious spam merchants to sanitise the email address by removing the +anythingyoulike so that your sorting/spam rules don't work.

  15. Stevie Silver badge

    Bah!

    Not to worry.

    The data was encrypted and un-aggregated so mo-one will have their ID spoofed, stolen or sold-on by non-Dixons un-business partners.

    What?

  16. Walter Bishop Silver badge
    Terminator

    Retailers not adopting appropriate cybersecurity strategies

    "Despite the well-publicised Target data breach, it seems that other retailers are still not adopting appropriate cybersecurity strategies"

    That's because there is no real penalty for not implementing appropriate cybersecurity strategies.

  17. SkippyBing Silver badge

    Ha Jokes on Them

    I've lost* all my credit cards and had them replaced since I last shopped there** so it's all useless information.

    *Lost, fell out of my pocket while motorcycling across France, same difference.

    **2016, I needed a new hard drive fast and they were actually the same price as Amazon.

    1. Crisp Silver badge

      Re: Ha Jokes on Them

      Get a wallet with a chain on it.

      1. SkippyBing Silver badge

        Re: Ha Jokes on Them

        'Get a wallet with a chain on it.'

        That was learning point #2!

        Learning point #1 was that it's actually quite handy having a contact less card saved on your phone so you can at least pay for accommodation before you cancel everything. Learning point #3 is to leave that card at home next time.

      2. Outer mongolian custard monster from outer space (honest)

        Re: Ha Jokes on Them

        Don't you have to have leather trousers with no bum in them to have a wallet on a chain?

        Personally I put my wallet and phone in the big inside pocket inside the jacket, then by the time you've fell off and burst the main zip and slid far enough further to drag it inside out and abrade the liner away, dropping your phone is the least of your worries. Also stops it getting too wet. Soggy money is no fun.

  18. Anonymous Coward
    Anonymous Coward

    I advised them of a breach in May 2016 when an email address that I used specifically for contacting them started being used for spamming purposes out in the wild.

    Yet they were only breached in July 2017 .. apparently.

  19. VinceH Silver badge
    Coat

    FTA: "Retailer Dixons Carphone has gone public about a hack attack involving 5.9 million payment cards and 1.2 million personal data records."

    Oh, do try harder, Dixons Carphone - if you want to compete with the big boys, you need to have much bigger breaches than that.

  20. LeahroyNake Bronze badge

    Advice ?

    'We are contacting those whose non-financial personal data was accessed to inform them, to apologise, and to give them advice on any protective steps they should take.'

    I'm guessing that they will tell you to use a credit reference agency... sounds like a great idea :/

  21. Cynic_999 Silver badge

    How about cookies?

    If a company puts your CC details in a cookie that it sends to you (then forgets), it could retrieve those details by grabbing the cookie next time you place an order. However the details will then only be kept on *your* computer, not the company's servers, so I assume GDPR considerations will not apply.

    The cookie could be encrypted, with the company using a different (random) encryption key for every customer. Then even if the company is hacked and all the keys stolen it would cause limited damage.

    Of course, customers who place a new order using a different computer would have to enter their CC details again.

    1. Alister Silver badge

      Re: How about cookies?

      There is no reason to go to such obscure lengths, there are already perfectly good mechanisms by which a customer can have a token stored for future use which do not need card details or CVVs to be retained.

      Dixon Carphone obviously thought they could do it their own way.

  22. Drone Pilot

    Fatigue?

    Another breach and only 69 comments 12 hours later. Even @Reg folk are getting fatigued and bored by these.

  23. StuntMisanthrope Bronze badge

    Attack Vector Warranty - 2 Year Cover.

    Might start selling these on the forum. #thespreadsheetislegal #howzat #strike

  24. The Boojum
    FAIL

    Communication preferences

    I received a text from Currys PCW yesterday stating that 'Important information from Currys PC World concerning data security' was to be found at a shortened URL. A check of the URL results in a long, tech-style address ending in cpwplc.com. Checks on that reveal this it's probably OK but I'm not minded to try it out.

    So in short - and assuming it's valid link - lets warn our customers by sending them a text that looks like an invitation to be phished!

    Sounds to me like an early recipient of of a GDPR 'Right to be forgotten' instruction.

    1. Monkey12

      Re: Communication preferences

      Good luck!

      I tried the "right to be forgotten". Seems they will only action this if I prove that I am who I say I am. For this they need me to send in a copy of my passport and official letter showing my address. Unsurprisingly I'm not willing to do this so they are going to retain all my personal information.

  25. EnviableOne Bronze badge

    OK so they had simillar hapen and ICO hit them with a £400k fine

    this is their second breach with Credit card data

    I can see two potential consequences:

    the ICO hit them with a BIG GDPR fine (last years t/o £10,580m makes max fine £211.6m/£423.2m)

    PCI suspend their payment processing rights (no card transactions - All their online business and presumably most of there in store)

  26. Anonymous Coward
    Anonymous Coward

    Honest

    At least they admitted to it. Page up people an very nasty company that filters job aplacants by asking up t 60pages of questions was recently hacked with loads of people's data stolen, did page up people notify any one, no , one of their clients contracted me to let me know and that they would not be using them any more

  27. Tom Paine Silver badge
    Unhappy

    Well aware?

    As a multinational organisation, Dixons Carphone would have been well aware of the Target breach.

    As an infosec grunt toiling in the trenches, _I_ am well aware that this is absolute bollocks. i nearly fell off my chair when our CIO mentioned Maerk, but that was a week or tweo after the post-mortem "how we covered from having our entire estate bricked" was publicised.

    I bet if you took 100 CIO, COOs, CSOs etc - let alone the line management - and asked them to name 3 big hacks from the last decade off the top of their heads,85% would struggle.

  28. Anonymous Coward
    Anonymous Coward

    I find that my details are on the Dixons Carphone list of customers whose information they have inadvertently shared. I tried to use my right under GDPR to have my personal details deleted. I am told that this is possible but only if I send further personal detail including a copy of my passport! They must be joking (but apparently not)

    Methinks the company isn't really interested in meeting their data management responsibilities but is interested in maintaining as large a list of customer details as possible!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019