Announced so soon after GDPR becomes law. Coincidinks?
Dixons Carphone 'fesses to mega-breach: Probes 'attempt to compromise' 5.9m payment cards
Retailer Dixons Carphone has gone public about a hack attack involving 5.9 million payment cards and 1.2 million personal data records. In a statement (PDF), Dixons Carphone said that "unauthorised access" of data held by the company had prompted an investigation, the hiring of external security experts and efforts to shore up …
COMMENTS
-
-
Wednesday 13th June 2018 17:31 GMT TkH11
They have known about a possible data breach since last year. The company's data protection team must be staffed by morons. They could have reported the breach under the Data Protection Act and received a maximum of £500,000 fine, now they have chosen to report the breach under GDPR the fine could theoretically run into the hundreds of millions of £££. Why? Because their turnover is £10billion
-
-
Wednesday 13th June 2018 11:03 GMT Anonymous Coward
There's another weasel clause right there
Can you back-date a firm's data-crimes to escape GDPR fallout? CEO's / Corporate Executives like to back-date their Stock Options! GDPR still leaves lots of room for other weasel clauses:
--------------
https://www.securitynow.com/author.asp?section_id=613&doc_id=740638
-
Wednesday 13th June 2018 11:40 GMT ibmalone
Re: There's another weasel clause right there
Can you back-date a firm's data-crimes to escape GDPR fallout?
One principle of laws is that civilised countries don't generally make things retrospectively illegal. I.e. outlawing the purchase of red lollipops doesn't let you arrest everyone who bought one last week.
What I'm not sure about is where reporting undisclosed breaches prior to GDPR stand, you could certainly be required to report a recent breach that occurred prior to the legislation, as not reporting it is something you would be doing now. (Not having read those requirements in detail I'd guess this is addressed.)
-
Wednesday 13th June 2018 12:11 GMT }{amis}{
Re: There's another weasel clause right there
Can you back-date a firm's data-crimes to escape GDPR fallout?
I asked my company's semi-tame in-house lawyer this question this morning.
His response was that for Criminal law you will be judged and sentenced under the law that was in effect at the time of offending.
What can throw a spanner into the works though is the case law ie the interpretation of law can change and the most current interpretation is always used.
-
Wednesday 13th June 2018 17:35 GMT TkH11
Re: There's another weasel clause right there
The lawyer is right about law not being applied retrospectively, but there is an interesting legal issue here. That of when they reported the breach. They could have reported the breach under DPA but they left it and reported it under GDPR. So which is relevant, when the breach occurred, or when they detected it, or when they reported it?
-
Thursday 14th June 2018 16:54 GMT Lusty
Re: There's another weasel clause right there
"So which is relevant, when the breach occurred, or when they detected it, or when they reported it?"
If only there were some kind of document we could consult to find such answers...Oh yes, they wrote the GDPR down so we don't have to guess.
It's only 88 pages long including <intentionally blank> bits, just read it!!
-
Thursday 14th June 2018 17:27 GMT Andy Humphreys
Re: There's another weasel clause right there
My bet is that they were actually performing a data/systems check for GDPR (a little late) and in that process they found they had been breached last year. So now they know about the breach, they have to report it in under 72 hours. My view is that it points to the theory that they have relevant event logging, but nobody was monitoring it, or, if there was an alert, it was missed or ignored? Either way, seems like a cock-up..
-
-
-
-
Wednesday 13th June 2018 10:06 GMT Pen-y-gors
A fairly basic question...
Why do all these businesses store credit card details? Small businesses have a system where they let a payment provider take the details and just say yes/no. Or even if the details are gathered locally, why do they need to be stored on a customer record once the details have been transmitted to the bank and the payment authorised?
That would expose far fewer bits of critical data. Before now I've refused to develop an online shop for a customer who wanted to store CC details!
And lets face it, if they crack the bank, Worldpay or Paypal you're stuffed anyway. Getting your CC details will be the least of the problems.
-
-
Wednesday 13th June 2018 12:05 GMT Alister
Re: Why do businesses store credit cards
Because unfortunately most of us are lazy and don't want to have to enter our details every time you're ordering something.
Even then, if done properly, there is no need to store the full card details anywhere on the system.
Instead, you store an authentication token from whichever payment gateway provider you use (Verifone, World Pay, All Pay etc) which is generated on the first purchase. This authentication token is unique to the user's card and CVV, and can therefore be used for subsequent purchases.
You would typically store the last four digits of the card, simply to be able to present it visually to the user in their account details on your site, so they can identify the card, but it isn't used for transactions.
The CVV should never, ever be stored.
-
-
Thursday 14th June 2018 06:45 GMT Anonymous Coward
Re: Why do businesses store credit cards
I bought a phone from CPW in January, with a UK card not used elsewhere, Monday get a call to tell me it's been fraudulently used to buy Tesco mobile stuff and viagogo tickets to the value of about a grand.
I suspect Dixons only found out about this fraud because the credit card companys that were seeing fraud linked them..
It also seems to be untrue that CVV data wasn't accessed...
-
-
-
Wednesday 13th June 2018 21:41 GMT Anonymous Coward
Re: Refunds
By law the payment system has to be able to put a refund back on that card. Why it is stored in house and not in the payment system is the real question. Or why it is stored for future automated payments or quick checkouts is the other.
But the storage needs to be there for the refund system as far as I know.
-
-
-
-
Wednesday 13th June 2018 10:49 GMT Lee D
Re: A fairly basic question...
I work for private schools.
They all want to take credit cards etc. on their website, tied in with the school MIS, so that parents can pay for trips, fees, activities, uniforms, etc.
Despite working for many schools over the years, it's never ONCE resulted in anything actually in-house, because it's just such a bad idea. PCI DSS is no simple matter, especially when you want to tie into their school records (i.e. they were here X days a year, so we charge them for X activities / etc.).
Most state schools use a handful of outside providers for their equivalent (which is usually just cashless catering) and let that provider take their percentage to handle all the security.
But all the private schools I've worked in don't risk that, even if they run their own in-house MIS (which makes GDPR so much easier!). They use card machines (and ask people to visit with their card or at best take the details over the phone and type into the card machine as CNP transactions), Direct Debits, etc. or they use something like WorldPay or similar, but they don't store / process card information themselves.
I see PCI DSS as a "good thing". The fact that it discourages people from running their own databases like this is exactly what you want. Unless you have the confidence and evidence that you are able to store this data in the correct manner (and Dixons don't seem to have done a bad job - no CVV, no link to personal data/address, etc. just means a big list of mostly-useless numbers), then you shouldn't be doing so.
And, yes, we do get targeted. We literally get targeted, faked, convincing email pretending to be the bursar (down to first-name familiarity and copying their style) to the finance department asking to pay something urgently, or we get fake "new bank details" for existing companies and when we phone up to confirm are told that they haven't changed their bank details, and phone calls from the scammers to follow up on them. I have reported several to various cybercrime reporting sites linked to the police.
But just having a good process is good enough to stop those kinds of things ("New bank details"? Okay, I'm going to ring your head office details that I have on your previous invoices on another line to confirm that).
However, I can't imagine the carnage if such a place was to store credit card details protected only by the diligence of basic finance staff in an over-worked office. And then consider, that actually the more valuable information is probably in the school MIS anyway. Almost every private school I've worked at holds the details of at least one celebrity, including child's names, real address (not just agent), where they summer, what their mobile phones are, ***who is allowed to pick them up and when***, and potentially lots of personal data (e.g. divorced couples spats with the school, etc.). Before you even get into credit card numbers.
And it's not just celebrities. If you've ever worked for a private school, you'd be aware of who the army brats are, and I can damn well guarantee you one of them has an "anonymised" profile for a reason. But the real information will still be in the database somewhere.
-
Wednesday 13th June 2018 12:12 GMT FuzzyWuzzys
Re: A fairly basic question...
I can think of a few cases...
They want CCs someone wrote some shitty payment system for their website and they don't want to bugger about with trying to tie to a proper payment vendor.
A payment vendor will charge a management fee to handle the transaction and places like "CackPhone Whorehouse" don't want to pay the fees and would rather put your info at risk.
The want the CC data in case you spend money at another company under control of their parent conpany, then they can tie all that juicy data together without having to a)wait for another data breach release on the black market or b) having to pay some shyster to hack Facebook accounts for your toilet habits!!
-
Wednesday 13th June 2018 12:44 GMT Moog42
Re: A fairly basic question...
'Would you like to create an account to make your shopping experience easier next time?'
Right up until we lose it.
11 months is a long time, have they just been holed up in The Winchester hoping it will all blow over? And really not quite sure how they can be so certain that nothing has happened with those details in all that time?
-
Wednesday 13th June 2018 16:59 GMT Stuart 22
Re: A fairly basic question...
"Why do all these businesses store credit card details?"
These are very high numbers for people who elect to have their cards saved when making an online burchase from DSG. Looks more like DSG have logged every purchase.
Given I've bought stuff in-shop and online but not stored - have my details been leaked or not? I await some correspondence from DSG with interest.
-
-
Wednesday 13th June 2018 10:15 GMT mrdalliard
"We are extremely disappointed and sorry for any upset this may cause."
<gah>
What is it about corporate statements?
Instead of "We got compromised and we're sorry we let that happen.", we get that. There's this continual thing in corporate communications where they're "sorry" that an event occurred and they're "sorry" about any inconvenience caused, but why do they word things in such a way that almost distances them from taking any ownership, like "Sorry. We fucked up" ?
Again.
</gah>
M.
-
Wednesday 13th June 2018 11:14 GMT Anonymous Coward
'why do they word things in such a way that almost distances them from taking any ownership'
... Accountability.... That's why Zuk lied to lawmakers for 11 hours straight... Until more firms start taking a 300m FedEx / Maersk like hit to their bottom line, losing your details is just the cost of doing business! As to why firms keep storing card details instead of purging them? ... Billing convenience. So they can always bill you, no matter what, without risk of mistake from repeated entry.
-
-
-
Wednesday 13th June 2018 15:46 GMT James O'Shea
Oh, please... a mere 100 GBP? A pitance. Here in Deepest South Florida, at my local Best Buy they have $300 to $400 HDMI cables _in stock_ and can special order $600-700 cables. My fav Best Buy HDMI cable, the $1095 one, doesn’t seem to be available any more. Or maybe they’re just too embarrassed to admit that it ever existed.
I go to Best Buy mostly to get a laugh, those boys are living in a world all their own.
-
-
-
-
Wednesday 13th June 2018 12:00 GMT David Nash
Re: Information was accessed but hasn't left their systems?
It's completely meaningless. What does "leaving the system mean"? Erased? nobody thinks that's happened. Transmitted to another party - of course, that's what "accessed" means. Unless the hacker was reading the HDD with a compass needle!
-
-
-
Wednesday 13th June 2018 11:34 GMT alain williams
Re: Me feeling happy ...
But having a domain means I can literally make up any nonsense and block it if they do ever spam it / lose it.
I do that as well - for the instances where they, reasonably, do need an email address. Running my own MTA means that I can reply to their email and the only address that they ever see is their-name@email.my-domain. Such configuration is one of the nice things about running MUA/MTA mutt/exim together.
-
Wednesday 13th June 2018 12:29 GMT Lee D
Re: Me feeling happy ...
"I do that as well - for the instances where they, reasonably, do need an email address. Running my own MTA means"
Well, technically, I do run my own MTA. The fact that almost all the email that I *WANT* to receive ends up in a bog-standard commercial webmail account is neither here nor there (and anything addressed direct to that account only that didn't come from my MTA? Spam).
The fact is that I can switch it out any time I like to ANY destination, I can give people addresses (e.g. myfriend@mydomain.com, which forwards to his weird ISP-specific email), and I can filter at a level above what those providers do (e.g. all my email is greylisted for 5 minutes, etc. all the "misused" addresses go straight to the bin, and I can do tricks like "this is a valid email because it fits my rules on how many vowels each of my emails should have / what the number in the email should checksum to" so that even being able to make up emails doesn't give OTHER PEOPLE the ability to just make them up and spam me - I get a surprising amount of usernameusername@mydomain.com and even partial /corrupted usernames where the database obviously didn't line up correctly in their mailshot).
But once set up, the personal effect is "log into my normal webmail, have no spam, can tell if an email was GENUINELY from paypal in seconds because only paypal know what the paypal address they have this year actually is".
-
-
Wednesday 13th June 2018 12:24 GMT Pascal Monett
Re: my domain has as many addresses as I want
Same here. I've set up a special account for that kind of situation : spam@mydomain.net
I use that in response to any question and for online subscriptions that I do not intend to follow but have to sign up to get what I'm looking for.
Needless to say : all mail going into that account is immediately trashed.
-
Thursday 14th June 2018 12:49 GMT julian.smith
Re: Me feeling happy ...
I have my own domain
I give each "requester" their own email address composed from their domain [theregister@mydomain.com]
From then on it's trivial to identify "requesters" who have been compromised - their emails are also usually flagged by my provider's spam detection software and:
- cease dealing with them
- blacklist any email using the compromised details
Easy peasy
-
-
Wednesday 13th June 2018 10:56 GMT wolfetone
Re: Me feeling happy ...
"that when I last bought something at Dixons that I refused to give my email address when the checkout operator insisted that I had to ... I think that he either entered his own address or invented something bogus."
I've had this several times, the most recent was at a Jurys Inn where they said I had to give an email. I asked them why, and she said they needed it incase they had to contact me while I stayed in the hotel. So I told her I'm in my room all night to sleep, so if you need me knock on the door. You know what room I'm in.
Halfrauds are also trying to do this email collection thing, so I can get an emailed copy of my receipt. No mate, paper is good enough.
-
Thursday 14th June 2018 00:18 GMT JimboSmith
Re: Me feeling happy ...
I've had this several times, the most recent was at a Jurys Inn where they said I had to give an email. I asked them why, and she said they needed it incase they had to contact me while I stayed in the hotel. So I told her I'm in my room all night to sleep, so if you need me knock on the door. You know what room I'm in.
I own my own domain too and give out unique email addresses to individual companies that ask for one and that I deem worthy. I made a stay at a hotel in the UAE who did need my email because there was an issue that remained unresolved as we were checking out. I made damn certain that I indicated that I did not want to be contacted by third parties or have my details sold. I received an email from some business in the same country to that address and I was unimpressed. Called the hotel and spoke to the switchboard and had a nice girl there explain that whilst I might think that I'd received it because it was from the same country it probably wasn't anything to do with the hotel.
Her: "Loads of people have your email address right?"
Me: "No only you have that particular address"
Her: "We wouldn't pass on your details if you told us not to. Are you sure?"
Me: "Yes because the email address is yourhotelchain@mydomainname.com, it is unique to you and I haven't given it to anyone else because I've never stayed at your chain before!" (and won't again after this).
Her: "Oh, I'm not sure who to transfer your call to."
Me: "Well as I made sure I told you I don't want any contact from you and I've been sent something maybe your head of (IT) data security?"
Her: "I'm not sure I know who that is, why them?"
Me: "Because if you really haven't sold/passed on my details then I would suspect you've got a problem somewhere with your computers/data."
Her: "I think all the IT people have gone home can you call back tomorrow?"
-
-
Wednesday 13th June 2018 11:06 GMT anthonyhegedus
Heart of our business?
"The protection of our data has to be at the heart of our business"? Who do they think they're fucking kidding!? At the heart of their business is conning people into buying shit they don't need when they buy a laptop, such as the laptop itself, norton virus, ms office etc. and persuading people to buy an insurance policy that costs half as much as the original item. Also right in the fucking dead centre of their business is refusing to honour said warranties and refusing to refund for faulty items. There Dixons Carphone Group - fixed that for you.
-
-
Wednesday 13th June 2018 16:51 GMT Anonymous Coward
The only way to teach him is by fining him personally.
He's got so much money any feasible fine wouldn't hurt. I say strap the pudgy faced public schoolboy into a device with his legs apart, and administer a public kick to the bollocks for each item of data lost. Obviously that's a lot of kicks, so each individual whose data was lost would have the right to place their own kick, or to "kick by proxy", nominating somebody like Johnny Wilkinson to do it for them. Mr Wilkinson's fee could be stuffed to Dunstone.
-
-
-
-
Wednesday 13th June 2018 15:36 GMT Killfalcon
Re: Timing is interesting for me
There are a small but annoying number of genuine corporate callers who are so paranoid about data breaches they don't identify themselves until you pass their DPA checks.
Theory is that if they have the wrong number, they don't reveal that you have an account with who-ever they are. It's painful to deal with, and teaches people to give up their personal details to unidentified callers.
-
Wednesday 13th June 2018 15:52 GMT Pat 11
Re: Timing is interesting for me
I take the view that any phone call, email, text, IM etc is utterly ignorable. If I'm wrong and it's important, they'll keep trying and find a better way to reach me, ideally by a hand-written letter.
I've always felt phone calls are very one-sided arrangements; one person somewhere else decides it's time for me to have a conversation with them. Very often they are wrong.
I am Ron Swanson.
-
Wednesday 13th June 2018 16:08 GMT John H Woods
Re: Timing is interesting for me
Them: "Can I get some security information before we proceed?"
Me: "Can I ask you a question first?"
Them: "Well ..."
Me: "If I did have an account with you, what would be your advice about sharing security information with unknown people?"
They: "Oh, you should never do that"
Me: "Thought so. Goodbye"
-
-
-
-
Wednesday 13th June 2018 11:30 GMT adam payne
Our investigation is ongoing and currently indicates that there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores
Why are you storing card details?
"We are extremely disappointed and sorry for any upset this may cause,"
We are extremely disappointed in your company too.
The one question is why did it take you so long to announce the breach? Did you just forget?
-
-
Wednesday 13th June 2018 17:56 GMT Outer mongolian custard monster from outer space (honest)
Define properly secured at the perimeter. And bear in mind I was reading a paper today about how to bypass the akamai waf during a exploitation (I'm a offensive security bod before the mob tries to lynch me). The point being, that info is freely available on the net if you know where to research and both sides of the game have it. If you've evaded the waf, your attack will look like normal web traffic anyway if you get it to dump out via the same web server as a response unless you set off a sensor getting it to throw a reverse shell via a port or similar.
-
Wednesday 13th June 2018 19:17 GMT Anonymous Coward
How did the ne'er-do-wells manage to gain entry in order to milk the data?
How does any director gain access to the building he works at? We should consider that the attackers were doing what they do best, finding a weakness and preying on it. As such we should consider that they might qualify as "professionals". Dixonscarphonedoghouse on the other hand were screwing up as usual, so the term "ne'er-do-wells" is probably best applied to their bungling management.
-
Wednesday 13th June 2018 11:55 GMT dbgi
Perhaps I need a forwarding email address for every shop
As an interesting long term experiment, it would be good to setup a forwarding email address for every shop that insists an email address. e.g. Mountain Warehouse, Go Outdoors, PC World, etc.
Then when I get some of those spam emails or emails appearing on pwned, I know where the leak came from.
-
Wednesday 13th June 2018 12:58 GMT Anonymous Coward
Re: Perhaps I need a forwarding email address for every shop
If you have a... yes, Yahoo email address you can set up disposable addresses based on a common id, for example, your common id is abcdef, so an email address would be dixons-abcdef@yahoo.whatever. You can then set that address (up to 100) for each place you shop at then drop it once comprimised.... I did the above several years ago and only have about 10 left now our of the 40 or so I ended up creating. I does take some patience though.
-
Wednesday 13th June 2018 16:13 GMT John H Woods
Re: Perhaps I need a forwarding email address for every shop
A lot of web forms incorrectly reject it but a "plus form" address (RFC2822) is what you are looking for.
yourname+anythingyoulike@yourdomain.com will be delivered to yourname@yourdomain; but you can still see the originally used recipient name, so when you get spam/phishing to, for instance, yourname+CW@yourdomain you know who leaked it.
-
-
Thursday 14th June 2018 06:57 GMT Adam 52
Re: Perhaps I need a forwarding email address for every shop
Should definitely work at Gmail, it's explicitly mentioned in the documentation.
Not foolproof though, we had to scrub the plus suffix from a load of addresses when migrating them to a new CRM that had broken email address parsing.
-
-
Thursday 14th June 2018 07:06 GMT dave 76
Re: Perhaps I need a forwarding email address for every shop
"yourname+anythingyoulike@yourdomain.com will be delivered to yourname@yourdomain; but you can still see the originally used recipient name, so when you get spam/phishing to, for instance, yourname+CW@yourdomain you know who leaked it."
Except that is so well known that I would expect any malicious spam merchants to sanitise the email address by removing the +anythingyoulike so that your sorting/spam rules don't work.
-
-
Wednesday 13th June 2018 13:12 GMT Anonymous Coward
Retailers not adopting appropriate cybersecurity strategies
"Despite the well-publicised Target data breach, it seems that other retailers are still not adopting appropriate cybersecurity strategies"
That's because there is no real penalty for not implementing appropriate cybersecurity strategies.
-
Wednesday 13th June 2018 13:13 GMT SkippyBing
Ha Jokes on Them
I've lost* all my credit cards and had them replaced since I last shopped there** so it's all useless information.
*Lost, fell out of my pocket while motorcycling across France, same difference.
**2016, I needed a new hard drive fast and they were actually the same price as Amazon.
-
-
Wednesday 13th June 2018 15:18 GMT SkippyBing
Re: Ha Jokes on Them
'Get a wallet with a chain on it.'
That was learning point #2!
Learning point #1 was that it's actually quite handy having a contact less card saved on your phone so you can at least pay for accommodation before you cancel everything. Learning point #3 is to leave that card at home next time.
-
Wednesday 13th June 2018 17:59 GMT Outer mongolian custard monster from outer space (honest)
Re: Ha Jokes on Them
Don't you have to have leather trousers with no bum in them to have a wallet on a chain?
Personally I put my wallet and phone in the big inside pocket inside the jacket, then by the time you've fell off and burst the main zip and slid far enough further to drag it inside out and abrade the liner away, dropping your phone is the least of your worries. Also stops it getting too wet. Soggy money is no fun.
-
-
-
Wednesday 13th June 2018 17:04 GMT Cynic_999
How about cookies?
If a company puts your CC details in a cookie that it sends to you (then forgets), it could retrieve those details by grabbing the cookie next time you place an order. However the details will then only be kept on *your* computer, not the company's servers, so I assume GDPR considerations will not apply.
The cookie could be encrypted, with the company using a different (random) encryption key for every customer. Then even if the company is hacked and all the keys stolen it would cause limited damage.
Of course, customers who place a new order using a different computer would have to enter their CC details again.
-
Wednesday 13th June 2018 17:58 GMT Alister
Re: How about cookies?
There is no reason to go to such obscure lengths, there are already perfectly good mechanisms by which a customer can have a token stored for future use which do not need card details or CVVs to be retained.
Dixon Carphone obviously thought they could do it their own way.
-
-
Thursday 14th June 2018 07:38 GMT The Boojum
Communication preferences
I received a text from Currys PCW yesterday stating that 'Important information from Currys PC World concerning data security' was to be found at a shortened URL. A check of the URL results in a long, tech-style address ending in cpwplc.com. Checks on that reveal this it's probably OK but I'm not minded to try it out.
So in short - and assuming it's valid link - lets warn our customers by sending them a text that looks like an invitation to be phished!
Sounds to me like an early recipient of of a GDPR 'Right to be forgotten' instruction.
-
Wednesday 11th July 2018 16:26 GMT Monkey12
Re: Communication preferences
Good luck!
I tried the "right to be forgotten". Seems they will only action this if I prove that I am who I say I am. For this they need me to send in a copy of my passport and official letter showing my address. Unsurprisingly I'm not willing to do this so they are going to retain all my personal information.
-
-
Thursday 14th June 2018 12:50 GMT EnviableOne
OK so they had simillar hapen and ICO hit them with a £400k fine
this is their second breach with Credit card data
I can see two potential consequences:
the ICO hit them with a BIG GDPR fine (last years t/o £10,580m makes max fine £211.6m/£423.2m)
PCI suspend their payment processing rights (no card transactions - All their online business and presumably most of there in store)
-
Friday 15th June 2018 11:02 GMT Anonymous Coward
Honest
At least they admitted to it. Page up people an very nasty company that filters job aplacants by asking up t 60pages of questions was recently hacked with loads of people's data stolen, did page up people notify any one, no , one of their clients contracted me to let me know and that they would not be using them any more
-
Sunday 24th June 2018 21:13 GMT Tom Paine
Well aware?
As a multinational organisation, Dixons Carphone would have been well aware of the Target breach.
As an infosec grunt toiling in the trenches, _I_ am well aware that this is absolute bollocks. i nearly fell off my chair when our CIO mentioned Maerk, but that was a week or tweo after the post-mortem "how we covered from having our entire estate bricked" was publicised.
I bet if you took 100 CIO, COOs, CSOs etc - let alone the line management - and asked them to name 3 big hacks from the last decade off the top of their heads,85% would struggle.
-
Wednesday 11th July 2018 16:25 GMT Anonymous Coward
I find that my details are on the Dixons Carphone list of customers whose information they have inadvertently shared. I tried to use my right under GDPR to have my personal details deleted. I am told that this is possible but only if I send further personal detail including a copy of my passport! They must be joking (but apparently not)
Methinks the company isn't really interested in meeting their data management responsibilities but is interested in maintaining as large a list of customer details as possible!