Dixons / Carphone, the company behind Currys PC World, is still investigating a hacking attempt which involved almost six million credit and debit cards, plus 10 million customer data records (previously reported by the firm to be 1.2m).

The breach – according to the firm – was discovered in June 2018, but the hack itself occured in July 2017.

Dixons Carphone says that virtually all the cards are safe because they’re protected by the chip-and-pin system, and none of the data from 105,000 older, unprotected cards has been used fraudulently. Those cards are non-European, so if you have UK-issued cards, you shouldn’t be affected.

It isn’t the first time the company has failed to adequately protect payment card data as it suffered a similar breach in 2015 where the details of almost a million cards were compromised. TalkTalk and Vodafone were also hacked in the same year.

Have my card details been leaked in the hack?

Unless you have been contacted by Dixons Carphone or your card company, you are probably in the clear.

The hackers targeted the long number on credit and debit cards, but not PIN or verification codes. What this means is that you as the cardholder cannot be identified, nor can purchases be made with the information, so long as it is a chip-and-pin card.

What about my personal data?

Originally, Dixons/Carphone said 1.2 million customer records were accessed in the breach, but has now revealed the figure is almost ten times that at 10m. 

The records contained non-financial data including names, addresses, dates of birth and email addresses.

The company says that there is now evidence that some of this data may have left its system, but has no confirmed instances of this resulting in any fraud. It also said it would be apologising to customers, and has now sent out emails to that effect.

The following advice is included in those emails about what those affected should do:

  • If you receive an unsolicited email, letter, text or phone call asking for personal information, never reveal any full passwords, login details or account numbers until you are certain of the identity of the person making the request. Please do not click on any links you do not recognise.
  • If you think you have been a victim of fraud you should report it to Action Fraud, the UK’s national fraud and internet crime reporting centre, on 0300 123 2040.
  • We also recommend that people are vigilant against any suspicious activity on their bank accounts and contact their financial provider if they have concerns.
  • You can find more information here

What can I do to keep my data safe?

Unfortunately, once you hand over your personal and financial information to another company, there is nothing you can do but trust they will keep it secure and safe.

The GDPR rules introduced at the end of May mean companies must now take much better care of that data and face fines of up to £17.9m if they don’t.

Since the breach occurred before the new laws came into effect, Dixons Carphone might be fined up to the maximum of £500,000 under the old data protection laws.

Change your password

If you have an account with Currys PC World or any Dixons Carphone company, it’s worth changing the password.

Don’t use the same password you use for any other account, and don’t reuse old passwords.

Monitor your bank account

Keep an eye on your accounts for any unknown activity, and speak to your bank if you see any transactions you think could be fraudulent.

Don’t get scammed

As with any data breach, be extra vigilant of scams, particularly via email. Our advice is simple:

  • Don’t click on any links in emails until you’ve verified they’re genuine and legitimate
  • Don’t download or open any attachments unless you’re sure they’re safe
  • Get some good antivirus software and keep it up to date
  • Don’t give any details to cold callers

Also, get GDPR protection outside the EU with a VPN.