The U.K.’s data-protection watchdog said it’s investigating a cyberattack at Dixons Carphone Plc that affected almost 6 million payment cards.
The retailer, already struggling with a slowing mobile-phone market in the U.K. and the rise of Amazon.com Inc., said 1.2 million records containing nonfinancial information such as names, addresses and emails were breached.
The U.K. Information Commissioner’s Office said in a statement that it’s looking into the “impact on customers” as well as the timing of the hack. The cyberattack, which began in July, was discovered only last week, Dixons said. That’s just days after tough new European Union data-protection regulations went into effect.
“We will look at when the incident happened and when it was discovered as part of our work, and this will inform whether it is dealt with under the 1998 or 2018 data-protection acts,” the information commissioner said in a statement.
While the company said there’s no evidence of any fraudulent use of the data so far, the cyberattack is another challenge for new Chief Executive Officer Alex Baldock, who took over in April. Dixons shares were down 3.2 percent at 2:55 p.m. in London.
About 5.8 million cards affected had chip-and-PIN protection, the company said, and the data accessed for these cards do not include the personal identification codes or other authentication details enabling cardholders to be identified or purchases to be made. About 105,000 cards issued outside the EU, without chip-and-PIN protection, were compromised, Dixons said.
It’s “alarming to see how long it took the company to respond to the breach,” Simon McCalla, chief technology officer of cybersecurity provider Nominet, said by email.
Baldock last month issued the company’s third profit warning since August and criticized the lack of investment in stores and the poor performance of the mobile-phone business.
Dixons has struggled as consumers upgrade their cellphones less frequently. Last month, the retailer forecast that earnings this year will slump about 21 percent to 300 million pounds ($400 million) as it closes stores in a contracting U.K. household-electronics market. The cyberattack involved the processing systems of the Currys PC World and Dixons Travel stores, the company said.
Under the new European General Data Protection Regulation, which went into effect in May, companies can be fined up to 4 percent of their sales for data breaches.
Dixons has been targeted twice in the past few years. A cyberattack at the Carphone Warehouse unit resulted in a fine of 400,000 pounds by the Information Commissioner in 2015. In that incident, hackers exposed the personal details of more than 3 million customers and some employees.
In other cyberattacks, about 150 million users of Under Armour Inc.’s MyFitnessPal nutrition-tracking app had their accounts hacked, while Reckitt Benckiser Group Plc lost sales because of a hack that disrupted its supply chain in 2017. The WannaCry ransomware attack crippled parts of the U.K.’s National Health Service last year.
“Cybercrime is a continual battle for business today, and we are determined to tackle this fast-changing challenge,” Baldock said in a statement.