1) It is investigating the hacking attempt, which began in July last year.
2) Dixons insists that it only discovered this latest hack a week ago
3) "The hackers had tried to gain access to one of the processing systems of Currys PC World and Dixons Travel stores, the firm said."
4) here was "an attempt to compromise" 5.8 million credit and debit cards but only 105,000 cards without chip-and-pin protection had been leaked
5) The good news is that nearly all of them were protected by good old chip and pin - and there is no evidence of any fraud relating to the 100,000 non European cards which didn't have that protection.
All of this suggests that rather than an attempt to breach a database or storage system, the attack was persistent and similar to that which occurred to Target where attackers breached the POS card terminal payment processing system.
Altogether a more 'worrying' type of attack given the length of time it was in place.
Some parts of it seem to go through an old school terminal emulator, but others seem to be custom Windows apps and webpages using Internet Explorer. For a company selling the latest tech they seemed woefully out of date.
2 Its really a big box store with even less grasp of security than real Mobile operators who are not as serious about security as traditional telco's
The "security" there was a nightmare. They were inputting customer data into Windows XP machines with Internet Explorer (probably 7 or 8), Flash and Java.
For credit checks they were also swiping card's magstripes into the same machine (I no longer remember if they were also manually typing the CVV).
The staff could and did also use the machines for web browsing like resetting a customer's Apple or Google account password, etc.
Retail is hard. Surprisingly genuinely hard. When you have hundreds or thousands of outlets, some of them are special, you have wacky hardware, stuff is potentially updated over WAN, you often have a varied hardware fleet, retraining hundreds or thousands of operators is damn near impossible, your stuff was stuck together with sticky tape in the first place and meanwhile the customer is in the reps face tapping their feet or walking out on a sale because “the new system is acting up”.
There are a lot of orgs eating a ton of risk on the retail end just because the problem is so messy and expensive to fix.
> you have wacky hardware
They were using standard desktop PCs, not sure what you mean by that.
> stuff is potentially updated over WAN
They had a Cisco router in the shop that VPN'ed back to the mothership, so as far as the computers are concerned they were all on one big LAN and don't have to worry about its security (as long as the VPN is configured correctly - which for such a company is a quite a big if).
> retraining hundreds or thousands of operators is damn near impossible
Make the web app intuitive enough to not require any training? Strangely, I never hear people needing any "training" to use the latest Facebook or Snapchat - maybe the real answer is to actually hire a competent UX designer?
> your stuff was stuck together with sticky tape in the first place
True, but then again this problem needs to be solved. Putting tons of customers at risk and praying that they don't get compromised is unacceptable.
> the new system is acting up
I am not sure if they can do worse than the old system. It was routinely throwing Java stack traces all over the place (from the server) filled with confidential info.
Not to mention, none of this excuses having outdated IE, Java & Flash, and unrestricted outbound internet access on those machines.
Facebook has a terrible UI and I'd wager the majority of people who use it aren't aware of half the hidden features on there. In fact I can think of 4 occasions just off the top of the head where that's happened (wife couldn't find the option to share a FB group URL, people not finding options to subscribe or unsubscribe from a particular discussion, I can never find the damn "report this comment to a moderator" option in FB groups when I need it).
As for Snapchat, that app hardly compares to the level of complexity that a typical POS system would need.
Most importantly though, I don't really want to be the unlucky guy who has to wait there patiently while a member of staff guesses their way through a transaction. Let alone deal with the hassle of escalating things to a manager when said staff inevitably makes a mistake due to a lack of training.
It will however be the first time since GDPR that some of the difficult questions are asked and answered by the regulators with their new GDPR mentality. So no doubt the response will be informative.
Given they also were out of compliance with PCI-DSS, they can expect an industry "fine" as well.
The main problem is that a £400k fine was not sufficient to make them invest in their security, even after they knew they were definitely a target (having been hacked before).
Now if the ICO's hands are tied and they can still only fine them based on the DPA limits then hopefully the ICO will fine them the full £500k and tell them the next breach they have will incur the maximum GDPR fine. That should light a fire up them.
It sounds cumbersome, and it is, but companies have shown they can't handle the information.
Also, some banks already offer virtual credit card numbers, which work much like that system, yet as far as I know they're not widely used. Why would that system be?
I wonder how many hacks we're going to hear about in the next few months which fall into the same category... [rolls eyes]
> The National Cyber Security Centre is an organisation of the United Kingdom Government that provides advice and support for the public and private sector in how to avoid computer security threats
Unfortunately, it remains to be seen how competent the NCSC is, what exactly the goals of the NCSC are. It's an arm of GCHQ, and so far doesn't seem interested in fast disclosure.
Anyway, this might give them a way out. I'm sure NCSC/GCHQ are very capable of exerting a lot of political pressure on ICO.
Sounds similar to that attack on Target a few years back that targeted the POS electronic card readers themselves.
I assume this means that they didn't store the CVV (CVC2)? It's hard to tell right now, there isn't a huge amount of reliable information. They may have kept CVC1 info from magstripe cards.
Should go without saying though that chip and pin isn't really bulletproof security, and the last four digits of card numbers can be enough for identity fraud if the attacker is capable, especially in conjunction with other leaked information like addresses and DOB.
(My knowledge of this is limited, so I'd be very interested if I've misunderstood this).
Everything is speculation at this point, I assume they just kept CC and personal info in a db somewhere for no good reason like a lot of companies do but it's really hard to tell as Dixons haven't told the media too much currently.
The point is that for Chip & PIN cards, the banks don't expect any magstripe transactions at all (for markets where EMV is in effect, like the UK), which means the card data would be pretty useless as anyone attempting to use them would trip all kinds of fraud alerts.
I would not worry about the card data. What's much more important is the other stuff like loyalty cards, etc.
Of course "Carphone Warehouse" (the trading name of the company that merged with Dixons to become Dixons Carphone) probably does sound incredibly strange to anyone who wasn't alive in the carphone era, but they were a strong high street brand so I can see why they stuck with it.
Carphone Warehouse originally sold carphones; Stagecoach only came about a long time after stage coaches were obsolete.
He was like "Sorry I don't have ID with me ...bla bla bla..., I have it on my e-mail, can I use your computer?"
And staff was like OK here you go, and they let him behind the counter to use their PC.
I was there good 5 minutes and the guy was still using the staff computer when I was leaving.
And I was in my head like "WTF?"