European electronics and telecom retailer Dixons Carphone said a breach of its systems last year could have resulted in attackers accessing roughly 10 million records, including customers’ personal data.
On June 13, the company first announced that its networks had been compromised by intruders, and that it was working with authorities.
Since then, “we have been putting further security measures in place to safeguard customer information, increased investment in cyber security and added additional controls,” Dixons Carphone said Monday in a statement.
The company revealed that although it has evidence “some” data may have been siphoned out of the company’s systems, the exfiltrated information does not include credit card or bank account details. There is also no proof any fraud has occurred because of the breach, the company said.
The intruders accessed non-financial personal information, such as names, addresses and email addresses. They also accessed the records of 5.9 million credit cards, but most of them were protected by the chip-and-PIN security system.
“We have taken action to close off this access and have no evidence it is continuing,” the company said in a statement.
“Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right,” said Dixons Carphone CEO Alex Baldock. “That’s included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today.”
The company stayed mum about further details surrounding the breach – such as when exactly it occurred or how long systems were compromised. It is still unclear just how much data was siphoned out.
The U.K.’s National Crime Agency began investigating the breach last month, after the company first disclosed the incident. The National Cyber Security Center, Financial Conduct Authority, and Information Commissioner’s Office are also looking into the incident.