
UK’s Dixons Carphone admits huge data breach - escapologybb
https://www.bbc.com/news/business-44465331
======
PuffinBlue
These pieces of information seem important (quotes from article):

1) It is investigating the hacking attempt, which began in July last year.

2) Dixons insists that it only discovered this latest hack a week ago

3) "The hackers had tried to gain access to one of the processing systems of
Currys PC World and Dixons Travel stores, the firm said."

4) here was "an attempt to compromise" 5.8 million credit and debit cards but
only 105,000 cards without chip-and-pin protection had been leaked

5) The good news is that nearly all of them were protected by good old chip
and pin - and there is no evidence of any fraud relating to the 100,000 non
European cards which didn't have that protection.

All of this suggests that rather than an attempt to breach a database or
storage system, the attack was persistent and similar to that which occurred
to Target where attackers breached the POS card terminal payment processing
system.

Altogether a more 'worrying' type of attack given the length of time it was in
place.

~~~
graystevens
From what I’ve read, this is exactly what I was thinking too - this has
POS/till malware written all over it. I look forward to getting some of the
more technical details (if they get realised) to see exactly how widespread
this issue was.

~~~
sofaofthedamned
Last time I looked their POS systems ran Windows XP. I wonder if this is still
the case?

Some parts of it seem to go through an old school terminal emulator, but
others seem to be custom Windows apps and webpages using Internet Explorer.
For a company selling the latest tech they seemed woefully out of date.

~~~
kennydude
Last I looked Carphone Warehouse were using DOS

~~~
sofaofthedamned
I know what you mean but that actually seemed to be some sort of remote
terminal rather than dos.

------
snowwolf
Note that this is the second hack in 3 years they've had to disclose and they
were fined £400k for that hack [1], which was obviously not enough to
incentivise them to invest further in their security. Wonder what the ICO will
do this time.

[1] [https://techcrunch.com/2018/01/10/uks-carphone-warehouse-
fin...](https://techcrunch.com/2018/01/10/uks-carphone-warehouse-fined-
nearly-540k-for-2015-hack/)

~~~
esquivalience
Sorry, no. It seems to have happened before GDPR came into force, and the law
isn't retrospective.

It will however be the first time since GDPR that some of the difficult
questions are asked and answered by the regulators with their new GDPR
mentality. So no doubt the response will be informative.

~~~
snowwolf
I'm not sure I mentioned GDPR? I merely said it would be interesting to see
what the ICO do.

The main problem is that a £400k fine was not sufficient to make them invest
in their security, even after they knew they were definitely a target (having
been hacked before).

Now if the ICO's hands are tied and they can still only fine them based on the
DPA limits then hopefully the ICO will fine them the full £500k and tell them
the next breach they have will incur the maximum GDPR fine. That should light
a fire up them.

~~~
esquivalience
Yes, I did notice that the comment looked different after I replied.

------
amelius
I think by now governments should have a service that gives citizens
placeholder personal-information. So you could go to a shop and say: my name
is X1, my address is X2, and my phone number is X3. If they want to send you a
letter, they use the X information. The postal office has a special contract
with the government, and can ask it to translate the information to real
information.

It sounds cumbersome, and it is, but companies have shown they can't handle
the information.

~~~
fredley
Isn't this just PO Boxes? I don't know if they exist elsewhere, but they're
very much a thing in the UK:

[https://www.royalmail.com/business/services/receiving/safety...](https://www.royalmail.com/business/services/receiving/safety/po-
box)

~~~
amelius
Yes, but PO Boxes are somewhat fixed, so companies can still fingerprint you.
Your PO Box suggestion is like a cookie that's the same for all companies.
Instead, you want to generate PO Boxes as you encounter new companies, or
perhaps even as you place orders with those companies.

------
iamben
"Luckily for Dixons, the incident happened before the new GDPR rules, which
promise much bigger fines, came into force."

I wonder how many hacks we're going to hear about in the next few months which
fall into the same category... [rolls eyes]

~~~
darkport
I asked our in-house data protection legal teams, and their understanding is
that because they _reported_ the breach after GDPR, they will be bound those
rules and potential fines.

~~~
guitarbill
Problem is, they were coordinating with the National Cyber Security Centre. To
quote Wikipedia:

> The National Cyber Security Centre is an organisation of the United Kingdom
> Government that provides advice and support for the public and private
> sector in how to avoid computer security threats

Unfortunately, it remains to be seen how competent the NCSC is, what exactly
the goals of the NCSC are. It's an arm of GCHQ, and so far doesn't seem
interested in fast disclosure.

Anyway, this might give them a way out. I'm sure NCSC/GCHQ are very capable of
exerting a lot of political pressure on ICO.

------
strooper
Once the personal data is out, it is out, we can do nothing about it. It is
not only credit card number that matters, our personal information matters the
most. Unfortunately, we haven't seen any exemplary punishment for the
responsible parties, nor have we seen any solid step taken in general to
prevent data breach. It seems regular data breach is just to make us
comfortable without a tail (reference to Aesop's fable: THE FOX WITHOUT A
TAIL)

~~~
Y_Y
IT happened that a Fox caught its tail in a trap, and in struggling to release
himself lost all of it but the stump. At first he was ashamed to show himself
among his fellow foxes. But at last he determined to put a bolder face upon
his misfortune, and summoned all the foxes to a general meeting to consider a
proposal which he had to place before them. When they had assembled together
the Fox proposed that they should all do away with their tails. He pointed out
how inconvenient a tail was when they were pursued by their enemies, the dogs;
how much it was in the way when they desired to sit down and hold a friendly
conversation with one another. He failed to see any advantage in carrying
about such a useless encumbrance. “That is all very well,” said one of the
older foxes; “but I do not think you would have recommended us to dispense
with our chief ornament if you had not happened to lose it yourself.”
“DISTRUST INTERESTED ADVICE.”

------
lexalizer
I noticed this warning on the Talk Talk direct debit details page, two weeks
ago:
[https://twitter.com/lexburdusel/status/1001994580672344064?s...](https://twitter.com/lexburdusel/status/1001994580672344064?s=03)

------
MatthewWilkes
Given they say this only affects cards without chip-and-pin, this is probably
of interest to people from the US who have flown in to British airports, as
Dixons operate electronics stores selling things like portable USB chargers,
headphones, kindles, SD cards, etc in most large UK airports.

~~~
guitarbill
I don't think that's quite clear yet. I think what they are saying is
anybody/any country not using chip-and-pin is basically asking to be defrauded
at this point. If you post your card to Instagram, you'd expect to get
defrauded, magstrip/swiping is pretty much that but in a computer readable
format. (Yeah, it's not usually public but that doesn't make it secure.)

------
ilarum
"The good news is that nearly all of them were protected by good old chip and
pin". \- So what data is usually stored for chip and pin users? \- Does that
mean non-chip and pin users' entire card data was stored in DB?

~~~
mayniac
>"The good news is that nearly all of them were protected by good old chip and
pin"

I assume this means that they didn't store the CVV (CVC2)? It's hard to tell
right now, there isn't a huge amount of reliable information. They may have
kept CVC1 info from magstripe cards.

Should go without saying though that chip and pin isn't really bulletproof
security, and the last four digits of card numbers can be enough for identity
fraud if the attacker is capable, especially in conjunction with other leaked
information like addresses and DOB.

~~~
tomalpha
I don't believe that chip and pin data is stored locally. Assuming that the
payment records were from point-of-sale equipment then the entire transaction,
including customer information is end-to-end encrypted and wouldn't (couldn't)
be stored by the retailer [0]. I guess this either means that mag-stripe
transactions _do_ involve storing the card number locally, or there's
something else at play here.

[0] [https://sumup.com/emv-credit-card-chip/](https://sumup.com/emv-credit-
card-chip/)

(My knowledge of this is limited, so I'd be very interested if I've
misunderstood this).

~~~
mayniac
POS terminals transmit data back to the computers they're attached to
unencrypted, so they can definitely store it if they wanted to.

Everything is speculation at this point, I assume they just kept CC and
personal info in a db somewhere for no good reason like a lot of companies do
but it's really hard to tell as Dixons haven't told the media too much
currently.

------
martinald
Unsurprising, TalkTalk also has been breached badly. TalkTalk was spun out of
Carphone a while back. Seems something very rotten with their approach to
infosec.

~~~
jdefelice
There is a really good podcast episode about the TalkTalk hack
[https://darknetdiaries.com/episode/4/](https://darknetdiaries.com/episode/4/)

------
ccnafr
5.9 is not huge. What about the hundreds of millions that leaked from Equifax.
That's huge.

------
M_Bakhtiari
Carphone, Stagecoach, these Brits really seem to like naming their companies
after obsolete technology.

~~~
SmellyGeekBoy
Strange that, considering the companies were founded and named when the
technology was still current.

Of course "Carphone Warehouse" (the trading name of the company that merged
with Dixons to become Dixons Carphone) probably does sound incredibly strange
to anyone who wasn't alive in the carphone era, but they were a strong high
street brand so I can see why they stuck with it.

------
michalxnet
Funny thing last year this time I was picking up a camera and the till next to
me was some guy buying SIM with some ID or proof of address requirements.

He was like "Sorry I don't have ID with me ...bla bla bla..., I have it on my
e-mail, can I use your computer?"

And staff was like OK here you go, and they let him behind the counter to use
their PC.

I was there good 5 minutes and the guy was still using the staff computer when
I was leaving.

And I was in my head like "WTF?"

------
ConsumerLed
I was the victim of identity fraud at a Carphone Warehouse branch. Someone set
up 2 new contracts on 2 different networks using nothing but my address, bank
account details and a fake id (paid cash for the upfront payment). Their
incompetence is mindblowing. This company is going to £0.

