Dixons Carphone Data Breach Group Action Open Claim

What is This Claim About?

Dixons Carphone is facing a group action seeking compensation for millions of customers whose information was breached in a cyberattack that began in 2017.

Hackers targeted over 5,000 tills in Currys PC World and Dixons Travel branches between July 2017 and April 2018. Customer card information and personal data was compromised in the breach, which went undetected for several months.

The Information Commissioner’s Office issued the maximum allowable fine for Dixons Carphone following an investigation into the cyberattack.

Who’s Eligible?

You may qualify to join the Dixons Carphone data breach claim if your personal or card information was put at risk due to the breach.

How Much Compensation Will I Receive?

If the case is successful, qualified Class Members will receive compensation in Dixons Carphones’ mishandling of secure information.
The amount each claimant receives will be determined in court.

How Do I Join?

Law firm Keller Lenkner is leading the group claim against Dixons Carphone.

Click here to start your claim.

A U.K. law firm is accepting claimants who say they were affected by the Dixons Carphone data breach that compromised millions of customers’ information.

What Happened?

In June 2018, a Government Communications Headquarters (GCHQ) branch reportedly announced it was investigating a data breach that involved a cyberattacker accessing 5.9 million Dixons Carphone customer cards.

The National Cyber Security Centre (NCSC) and Financial Conduct Authority (FCA) also took part in the investigation.

According to Keller Lenkner, the law firm leading the group litigation, the cyberattacker installed malicious software on over 5,000 tills in Currys PC World and Dixons Travel branches between July 2017 and April 2018. The attack went undetected.

Dixons Carphone identified the data breach while its systems and data were under review, The Guardian reported. 

At the time, Dixons said while there was an attempt to compromise the cards, there was no evidence that any fraud had taken place as a result of the data breach.

During a second breach, customers’ personal data — such as names and addresses — was accessed, but again, Dixons said there was no evidence of fraud.

In January 2020, the Information Commissioner’s Office (ICO) fined Dixons Carphone £500,000, the maximum possible amount, for its role in the cyberattack that reportedly affected at least 14 million people.

The ICO’s powers were bolstered in 2019 when the General Data Protection Regulation (GDPR) replaced the Data Protection Act 1998, The Guardian reported. The regulator is now able to fine a firm up to 4% of its annual global turnover.

However, Keller Lenker points out, none of the £500,000 amount will go to compensate the millions of people whose personal information was compromised.

What Customer Data Was Breached?

According to The Guardian, the attacker was able to access nearly 6 million people’s payment card details and the personal information — including names, email addresses and details of failed credit checks — of approximately 14 million people.

Of the cards that were accessed, nearly all were chip- and PIN-protected; no PIN codes, card verification value (CVV) numbers or authentication data was compromised, meaning the attacker was reportedly not able to make purchases using the information.

The attacker also gained access to about 105,000 payment cards from outside the EU did not have chip and PIN protection, according to The Guardian. Dixons Carphone notified the banks involved, and they said they hadn’t flagged any fraudulent purchases.

A managing director of the consumer group Which?, Alex Neill, told The Guardian the breach was concerning.

“This massive breach will cause real worry to millions of customers and raises serious questions about how Dixons Carphone has been looking after customers’ data,” he said.

He also warned that anyone who is concerned they could be at risk of fraud should think about changing their passwords, monitor their online accounts and watch out for emails about the breach that could potentially come from scammers.

Dixons Carphone Data Breach Group Action Seeks Compensation

The ICO said it found “systemic failures” in the way Dixons maintained its customer data, The Guardian reported.

“Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud,” said Steve Eckersley, the ICO’s director of investigation.

The regulator reportedly said Dixons Carphone’s lax security and the inadequate steps that were taken to protect customer data violated the Data Protection Act 1998.

According to Keller Lenkner, the ICO’s investigation found systemic failures in how Dixons Carphone safeguarded consumers’ personal data. It also found failures in the company’s basic security measures and a disregard for the customers whose information was compromised.

Dixons Carphone disputed some of the ICO’s findings and said it had made significant investments in its information security systems.

Dixons group chief executive Alex Baldock pointed out no customers had suffered any fraud or financial loss because of the data breach. 

“We are very sorry for any inconvenience this historic incident caused to our customers,” he told The Guardian. “When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident. We duly notified regulators and the police and communicated with all our customers.”

Keller Lenkner argues that while Dixons Carphone was itself the victim of a cyberattack, the business had control of customer information and is therefore responsible for allowing it to be “intentionally, negligently or recklessly” hacked.

Because the ICO investigated and found Dixons Carphone guilty, the law firm can now use that as evidence in making the group Dixons Carphone data breach claim for compensation.

Read More Consumer & Lawsuit News: