/ Money

Update: Dixons Carphone data breach – do you know your rights?

Dixons Carphone has today admitted that a large data breach has affected 1.2 million personal data records and 5.9 million payment cards. Are you aware of your rights?

More and more major companies are suffering data leaks and breaches – just last year we saw the largest in history with three billion Yahoo accounts affected.

Implicated companies get fined, but affected customers often get little or no redress. That’s why we’ve previously called on the government to amend the Data Protection Bill.

Hacking attempt

Dixons Carphone has said that the breach follows a hacking attempt to compromise 5.9 million cards in one of the processing systems it uses in its Currys PC World and Dixons Travel stores. It has informed the ICO, FCA and the Police.

The company has also stated that there is no evidence that any of the cards had been used fraudulently following the breach.

Personal data has also been accessed, including names, home addresses and email addresses, but again Dixons Carphone said that there’s no evidence at this stage that the information has left its systems, or resulted in any fraud.

Your rights

When a serious data breach occurs, companies are obligated under GDPR to tell you without undue delay.

The first thing we’d recommend doing is taking your own steps to secure your data; change your passwords and keep an eye on your bank accounts.

If your data is lost and it causes you financial damage or distress, you may be able to claim compensation. We’ve put together the steps you need to take in our consumer rights guide to data breaches.

With data breaches becoming more common than anyone would like, we want to see companies being held to account. The government should be giving independent bodies the power to seek collective redress on behalf of affected customers when a company has failed to meet its data protection obligations.

Do you agree that the government should step in to ensure that people get the support and compensation they’re entitled to? Have you been affected by data breaches in the past? Let us know your views.

Update: 31/07/2018

Dixons has admitted that some 10m personal data records might have been affected by the data breach after further investigation.

When it first announced the breach in June, Dixons Carphone, who owns Carephone Warehouse and Currys PC World, said that most of the cards involved in the hack hadn’t been compromised. But 105,000 cards that had been issued outside the EU and didn’t have chip and Pin protection had been compromised. Dixons Carphone explained:

“While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details, and there is no evidence that any fraud has resulted”


This comment was removed at the request of the user

This comment was removed at the request of the user

As we’ve discussed before, names and addresses are hard to keep out of the public domain, for example telephone directories, electoral registers, and other official sources readily reveal them.

But, if a retailer needs to store customers bank details, then they do have a duty to keep those records secure.

Under these particular circumstance, it seems a pity that no-one had managed to upsell CPW into buying the best available internet security software, to go with their finance computer.

“Do you agree that the government should step in to ensure that people get the support and compensation they’re entitled to?”

As a point of principle, how far should governments go to protect the average Joe from risks incurred as consumers?

I think we all agree that governments should enforce trading standards, to protect consumers from sub-standard products, but does government also need to protect consumers against poorly run businesses? If so, how do we want to pay for that?

It is all very well to hold companies to account for data loss, but that doesn’t bring the data back from who ever has stolen it in the first place. While personal information is of value, people will steal it in any way they can, either to trade or to use nefariously. Jo public needs to ensure that what it uses on the internet can not cause it undue damage when others have it as well. That’s not easy, since many have complex needs requiring current internet access and the ability to transact freely. It follows, then, that there is an equal need for each transaction to be safeguarded in some way, so that others can not use their stolen data to hive off money in illegal dealing. Perhaps a randomly generated password is needed for each internet visit and some means of ensuring that only the rightful dealer can receive this. That would make other personal details less potent. Again there needs to be some foolproof safeguard to ensure that the bank/trader/vendor knows that the person they are dealing with is the one they think they are dealing with, and as a reverse, the consumer/account holder should be sure they are talking to the right people. If this kind of system were tightened up and better secured, then half the scams would be prevented. The problem with the internet and other distance communication is that neither side can see the other or verify who is there. It is this that makes fake web sites plausible and gives the crooks the edge. Someone in a hut at the bottom of the garden can pretend to be calling/webbing from a tower block in Canary Wharfe unless they can be traced visually or found by GP satellite. It still remains the case that the crook can hide effectively anywhere in the world and not get caught.
The internet is a useful tool for all of us. It must evolve so that it is effective in policing those who use it instead of shedding tears when others misuse it -that’s too late!

I hadn’t used Currys for over 8yrs.
I bought a big kitchen item recently AFTER removing my old email address & phone number & updating the old account online. And After ringing to check this would delete them from the system.

After the item was delivered & installed by them they started spamming the old email address (but all order details where sent to the new address). I rang, I filled in webforms I sent emails I begged them to remove my old email & phone number. They flitted between lying (we have deleted it) & saying that they are entitled to keep it. Today they contacted me at closing time by email to say they will not delete the old details unless I send them copies of a current passport & bank statement.

They believe it is me when I change it in the account settings
They believe it is me when I place the order & pay for it online
They believe it is me when they send order details to the new email address
They believe it is me when they issue a delivery refund because they deleted the original delivery slot because the customer service person hit the wrong button, so I had to wait a week longer.
They believe it is me when their own inhouse team deliver & install the large kitchen item.

But when I want them to remove an email address that they told me was already erased before I placed the order they require a passport & bank statement.
The phone number belongs to someone else now as old numbers are recycled by phone companies. I deleted the email address I had for nearly 20ys because they wouldn’t stop & had even passed it onto other companies to contact me for Currys. That email address will get recycled to a new owner as well.
This means that should they contact that phone number or old email address then my details will be revealed to a stranger

I’m disabled & housebound, I know its stupid but I am in tears here with the worry.
I’m not giving them private details. I don’t even have a passport, & there is nothing I can do to force them to delete it

Hi Fredables, given the recent introduction of the GDPR, you may now be in a strong position, from which you can order Currys to sort of this mess.

I found this guidance on customers’ GDPR rights here, in an article at eureka.eu.com/gdpr/know-your-rights/

2. Right to access
Individuals looking to scrutinise the use of their data by businesses will have the ability under the regulation to access that data and verify the lawfulness of its use. This means that, at any time, data controllers and teams must be able to confirm to individuals that their data is being processed, provide access to all of that data and also any supplementary information which was provided to them at the outset (wrapped up in the Right to Be Informed).

3. Right of rectification
Simply, this article in the data regulation means that any request by an individual to correct inaccurate information held by your business must be done swiftly, clearly and without undue delay.

4. Right to erasure
Once their data has been obtained, there are six reasons that an individual may request for their data to be erased – enacting the ‘Right to Be Forgotten’:

a. Their data is no longer necessary;
b. The individual withdraws consent due to unlawful processing or that their data falls into a special category;
c. Where they may object under the ‘Right to Object’ (more below);
d. The data has been unlawfully processed;
e. There is another legal obligation due to an EU member state law;
f. Or the data relates to consent with regard to a child.

If there is no need for Currys to keep any of your details, then I think you are entitled to demand their deletion.

If they need to keep some records of your custom, then you should insist that they correct the data they hold until it is correct.

I think the best way of asking for that would be by proper printed (or typed) letters, with proper wet signatures, if you can manage that. (I had to resolve a similar situation with Virgin a few years back. It took three letters before they finally got it right.)

That is a very useful summary and is worth bookmarking.

I’m aware of that and very familiar with the Information Commissioners Office & the GDPR. Particularly the bit on erasure.
I’ve quoted GDPR chapter & verse at Currys. I’ve demanded they remove it already, as I made clear. I’m not in a strong position and they are using the GDPR to justify their demand for a copy of a current passport and bank statement. They simply refuse to remove it without those documents they say they ‘cannot’ do it otherwise.

Fredables – thanks for that clarification.

Have you considered talking to the ICO to see if you can appeal Currys refusal via them?

Fredables, I’m sure you are aware of all this, but maybe for others:


Individuals can make a request for erasure verbally or in writing.

Can we ask an individual for ID?
If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality. You should take into account what data you hold, the nature of the data, and what you are using it for.

So “verbally or in writing” seems to be sufficient, and even if they have doubts about your identity, given the relative insignificance of the data they hold, asking for a passport and bank details seems wholly disproportionate.

You could contact sebastian.james@dixonscarphonegroup.com

Appreciated Malcom, you’re kind 🙂
I have repeatedly pointed this out to them. They read from a script & ignore most of the points I’m making. It is ridiculously disproportionate. It has been going on for over a month now. I’ve asked for it to be escalated to a manager & that request isn’t even acknowledged. They just cut & paste their policy at me.
The phone people (teamknowhow) say they passed it to the “websars” (data? )team & there is nothing they can do because it is separate to them & so they say the buying of the item only counts to the phone team as proof not to the “websars” team

They delivered a very large kitchen item & installed it. They know full well it is me.

I’ve even googled to see if there is a way to (within the law) get them to ban my account so they’ll remove all my details then. There isn’t, & I hate breaking rules anyway

PS where is the subscribe to this thread button that the help guide says is under each post, please?

When you open up the “reply” box, before you post it, click on the “Follow this conversation by email” link in red, at the bottom left.
Best of luck.

Brilliant I never would have found that 😀

Already involved them, they appear to be taking a minimal interference approach. ie none Getting a strong impression that they will not intervene & they are aware of all the communications between Currys & I.

Under the GDPR, Currys PC World must have nominated a data protection officer. Have you been in contact with him or her? Contact details should appear in the company’s Privacy Policy Statement.

I’ve scrutinised all their T&C’s & Privacy Policy pages already.
I had to beg & beg to get them to even give me the email for the data team. So I would have proof of the correspondence (as opposed to webforms) They finally gave me the email address for the “websars” team. They refuse point blank & claim ignorance of anything further.

In CPCW’s case it should be a Data Controller, I’d have thought.

Having just retired from the UK arm of a large corporation, I can report that the arrangements introduced there for GDPR compliance were introduced via a fairly authoritarian dictate, in a bit of a rush and on the basis of simple but strict local rules.

So low level minions in Currys may have experienced a similar process and may not have any “wiggle room” within their company processes.

Hence I agree that Fredables’ case may require escalation to higher authorities. Even so, a short term win may not be possible, especially if the ICO are unwilling to help.

It would be interesting to hear whether or not Which? themselves will take any interest in this, and similar cases.

I would be happy if they did but I can’t imagine that they would get involved or even notice this

Sebastian James retired as CEO in January. I believe that it’s now Roger Taylor, who nearly got a letter from me when the company was messing me around earlier in the year. They eventually stopped insisting that I should contact the manufacturer of a product that was under guarantee and replaced it.

You are taking on one of the most challenging companies I know, Fredables, and I wish you success.

I have no hope.

🙂 You can do it.

There are two companies that I would like to teach how to run a business. The other one sounds like a river in South America.

You might be right Ian. My reading of the ICO’s guidance notes indicated that all organisations that handle personal data will need to nominate a data protection officer and those with extensive data management functions will need to have a data controller who determines the purposes and means of processing personal data. The DPO is responsible for the protection of data and for providing access to it by persons whose data is held by the organisation. I have noticed that different models have been used by organisations, that most organisations have woken up to this late even though they knew it was coming, and that some organisations [guess who] are being very disobliging when it comes to implementation.

Was it not Currys PC World that belatedly discovered in June 2018 that it had experienced a massive data breach during 2017? They need to get their house in order without further prevarication. Full compliance with the GDPR would be a good starting point.

I don’t understand why this company’s dubious practices don’t get more exposure and enforcement.

I agree with Derek’s comments. I have lost confidence in the ICO over various matters where they seem loath to exercise their considerable powers of enforcement.

Another thing, they can override withheld numbers which is illegal in the UK (except police etc). I was told by a staff member the call shows on the caller display as anonymous call for withheld numbers for a moment & then shows the number. I was told that they were told by management that they have to do it because of malicious or prank calls.

This comment was removed at the request of the user

Yes I know, as I clearly stated above first line in brackets (police etc) and it isn’t ALL govt services.
As BT are the ones who place a marker on the line to tell the receiving equipment to withhold the number then it quite obvious they know, they own the network.

Oooh! Tetchy. I think Duncan was just trying to explain, Fredables, for the benefit of all readers here.

This comment was removed at the request of the user