Incident: Data Breach at Dixons Carphone: Unauthorized Access to Customer Data

Published Date: 2018-06-13

Postmortem Analysis
Timeline 1. The software failure incident at Dixons Carphone occurred within the last year before 25 May when the new European General Data Protection Regulation (GDPR) rules came into force [72331]. 2. The article was published on 2018-06-13. 3. Estimation: The incident likely occurred between May 2017 and May 2018.
System 1. Processing system at Currys PC World and Dixons Travel [72331] 2. Data protection measures at Dixons Carphone [72331]
Responsible Organization 1. The software failure incident at Dixons Carphone involving the data breach was caused by unauthorized access to their systems, resulting in the compromise of customer data [72331].
Impacted Organization 1. Dixons Carphone customers [72331] 2. National Cyber Security Centre (NCSC) [72331] 3. Information Commissioner’s Office [72331]
Software Causes 1. The software cause of the failure incident was unauthorized access to the processing system at Currys PC World and Dixons Travel, leading to the compromise of 5.9 million Dixons Carphone customers' cards and 1.2 million personal records [72331].
Non-software Causes 1. Insufficient data protection measures leading to unauthorized access to customer data [72331] 2. Failure in ensuring the security of customer information [72331] 3. Lack of timely detection of the data breach [72331] 4. Potential lack of adequate cybersecurity protocols in place [72331]
Impacts 1. Unauthorized access to 5.9 million Dixons Carphone customers' cards and 1.2 million personal records, leading to a massive data breach [72331]. 2. Potential risk of fraud and loss of data for affected customers [72331]. 3. Apology from the company's chief executive for failing its customers and causing upset [72331]. 4. Negative impact on the company's reputation and stock value, with shares falling by as much as 6% [72331]. 5. Investigation by regulatory bodies like the Information Commissioner's Office, National Cyber Security Centre, and Financial Conduct Authority [72331]. 6. Potential financial penalties under GDPR rules, with a maximum fine of €20 million or 4% of global turnover [72331]. 7. Concerns raised by consumer groups about data protection and customer security [72331].
Preventions 1. Implementation of robust cybersecurity measures such as regular security audits, penetration testing, and intrusion detection systems could have helped prevent unauthorized access to customer data [72331]. 2. Ensuring strict access controls and monitoring mechanisms within the processing systems at Currys PC World and Dixons Travel could have prevented the attempt to compromise the cards [72331]. 3. Timely detection and response to anomalies in the system could have mitigated the impact of the data breach. Implementing real-time monitoring and alerting systems could have helped in this regard [72331]. 4. Proper training and awareness programs for employees regarding data security best practices could have reduced the likelihood of internal errors or vulnerabilities leading to breaches [72331].
Fixes 1. Implementing stronger cybersecurity measures to prevent unauthorized access to customer data [72331] 2. Conducting a thorough review and enhancement of the existing systems and data security protocols [72331] 3. Enhancing monitoring systems to detect any suspicious activity on bank accounts or within the processing systems [72331] 4. Providing clear information to affected customers about the breach and steps they should take to protect themselves [72331] 5. Engaging cybersecurity experts to handle the matter and adding extra security measures to the systems [72331]
References 1. National Cyber Security Centre (NCSC) [Article 72331] 2. Dixons Carphone (company involved in the data breach) [Article 72331] 3. Information Commissioner's Office (ICO) [Article 72331] 4. Financial Conduct Authority [Article 72331] 5. Alex Baldock, Chief Executive of Dixons Carphone [Article 72331] 6. Alex Neill, Managing Director at Which? [Article 72331]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization <Article 72331> reports on a data breach incident at Dixons Carphone where unauthorized access to customer data occurred. This incident involved a breach of 5.9 million customer cards and 1.2 million personal records. The breach affected the processing systems at Currys PC World and Dixons Travel. Dixons Carphone had previously experienced a similar incident, as the CEO, Alex Baldock, admitted that the company had failed its customers and stated that the protection of data should be at the heart of their business. The company had also engaged cybersecurity experts and added extra security measures to prevent such incidents in the future. Additionally, the breach raised concerns about potential fines under the GDPR rules, with the Information Commissioner's Office investigating the matter alongside other agencies [72331].
Phase (Design/Operation) design, operation (a) The software failure incident at Dixons Carphone was primarily due to design factors introduced during system development and updates. The breach involved unauthorized access to customer data, indicating a failure in the system's design to adequately protect sensitive information [72331]. (b) Additionally, the software failure incident also had elements of operation-related factors as there was a mention of the retailer taking action to close off unauthorized access and adding extra security measures to its systems to prevent further breaches. This indicates that operational aspects, such as system monitoring and response procedures, played a role in addressing the incident [72331].
Boundary (Internal/External) within_system, outside_system (a) within_system: The software failure incident at Dixons Carphone involved unauthorized access to customer data, including 5.9 million cards and 1.2 million personal records, due to an attempt to compromise the cards in a processing system at Currys PC World and Dixons Travel [72331]. (b) outside_system: The breach was a result of external factors, such as a cyber-attack on the company's systems from outside sources, leading to the unauthorized access of customer data [72331].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident at Dixons Carphone was primarily due to non-human actions, specifically unauthorized access to customer data and payment card information. The breach involved unauthorised access to 5.9 million customer cards and 1.2 million personal records, indicating a breach caused by external factors beyond human control [72331]. Additionally, the breach was detected during a system review, suggesting that the failure was not directly caused by human actions but rather by external unauthorized access. (b) However, human actions also played a role in the incident as the company admitted that it had failed its customers in terms of data protection. The CEO of Dixons Carphone, Alex Baldock, apologized for the breach and acknowledged that the company had fallen short in protecting customer data. The company took action by engaging cybersecurity experts and implementing additional security measures to address the breach [72331].
Dimension (Hardware/Software) hardware, software (a) The software failure incident related to hardware: - The data breach at Dixons Carphone involved unauthorized access to 5.9 million customers' cards and 1.2 million personal records, indicating a breach in the hardware systems storing this sensitive data [72331]. (b) The software failure incident related to software: - The breach involved an attempt to compromise the cards in a processing system at Currys PC World and Dixons Travel, suggesting a software vulnerability in the processing system [72331]. - Dixons Carphone mentioned that they had taken action to close off the unauthorized access and had engaged cybersecurity experts to handle the matter, indicating a software-related issue that needed to be addressed [72331].
Objective (Malicious/Non-malicious) malicious, non-malicious (a) The software failure incident at Dixons Carphone involved a malicious objective as it was a result of a cyber-attack where unauthorized access was gained to 5.9 million customer cards and 1.2 million personal records. The breach was described as an attempt to compromise the cards in a processing system at Currys PC World and Dixons Travel, indicating a deliberate effort to access sensitive data [72331]. Additionally, the incident led to concerns about potential fraud and the need for customers to be vigilant against suspicious activity on their bank accounts [72331]. (b) The software failure incident at Dixons Carphone also had non-malicious aspects as personal data such as names, addresses, and email addresses were accessed without evidence of resulting fraud. The company stated that there was no evidence of fraud as a result of the incident, and they were taking the matter extremely seriously by engaging cybersecurity experts and implementing additional security measures [72331].
Intent (Poor/Accidental Decisions) poor_decisions [72331] The software failure incident at Dixons Carphone involving a massive data breach was primarily due to poor decisions made regarding the protection of customer data. The company's chief executive admitted that they had failed their customers and fell short in ensuring the protection of data. Despite taking action to close off unauthorized access and engaging cybersecurity experts, the breach still occurred, indicating poor decisions in data security measures.
Capability (Incompetence/Accidental) development_incompetence (a) The software failure incident at Dixons Carphone involving a massive data breach affecting millions of customers' data was attributed to the company admitting that they had failed their customers due to a lack of professional competence in protecting their data. The chief executive, Alex Baldock, apologized for the breach and acknowledged that the company had fallen short in safeguarding customer data, stating, "The protection of our data has to be at the heart of our business and we’ve fallen short here" [72331]. (b) The accidental aspect of the software failure incident is evident in the statement by Dixons Carphone that there was no evidence of fraud resulting from the breach, indicating that the unauthorized access to customer data was not intentional but rather accidental. Additionally, the company mentioned that they had taken action to close off the unauthorized access and had engaged cybersecurity experts to handle the matter, showing a reactive response to an unintended breach [72331].
Duration temporary The software failure incident at Dixons Carphone involving the data breach was temporary in nature. The breach occurred within the last year before the new European General Data Protection Regulation (GDPR) rules came into force on 25 May [72331]. The breach was discovered over the past week, indicating that it was not a permanent failure but rather a temporary incident that was identified and addressed after occurring.
Behaviour other (a) crash: The software failure incident in this case did not involve a crash where the system loses state and does not perform any of its intended functions. The incident was related to unauthorized access to customer data and payment card information at Dixons Carphone [Article 72331]. (b) omission: The software failure incident did not involve the system omitting to perform its intended functions at an instance(s). Instead, the breach was about unauthorized access to customer data and payment card information [Article 72331]. (c) timing: The software failure incident was not related to the system performing its intended functions correctly but too late or too early. It was primarily about the unauthorized access to customer data and payment card information [Article 72331]. (d) value: The software failure incident did not involve the system performing its intended functions incorrectly. The incident was related to unauthorized access to customer data and payment card information at Dixons Carphone [Article 72331]. (e) byzantine: The software failure incident did not exhibit behavior where the system behaved erroneously with inconsistent responses and interactions. The incident was primarily about unauthorized access to customer data and payment card information [Article 72331]. (f) other: The software failure incident involved unauthorized access to customer data and payment card information at Dixons Carphone, leading to a data breach. The incident highlighted a failure in data protection and cybersecurity measures, rather than a specific software behavior as described in options (a) to (e) [Article 72331].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, theoretical_consequence (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident at Dixons Carphone resulted in unauthorized access to 5.9 million customers' cards and 1.2 million personal records. While there was no evidence of fraud as a direct result of the incident, personal data such as names, addresses, and email addresses were accessed. The breach potentially exposed customers' sensitive information, leading to concerns about the security of their data and the potential for fraudulent activities [72331].
Domain sales, finance (a) The failed system was related to the sales industry as it involved a massive data breach at Dixons Carphone, a consumer electronics retailer, affecting 5.9 million customers' cards and 1.2 million personal records [72331]. The breach targeted the processing system at Currys PC World and Dixons Travel, indicating a sales-related system compromise. (h) The incident also has implications for the finance industry as about 105,000 payment cards without chip and pin protection were accessed, potentially exposing customers to fraudulent purchases. Dixons Carphone notified the banks concerned, and no fraudulent purchases were detected at the time of reporting [72331]. (l) Additionally, the breach has regulatory implications as it falls under data protection laws. Under the previous Data Protection Act rules, the maximum fine imposed could be £500,000, while under the GDPR rules, firms could face a maximum of €20m (£17.6m) or 4% of global turnover. The Information Commissioner’s Office, alongside other agencies, is investigating the breach [72331].

Sources

Back to List