NCSC advice for Dixons Carphone plc customers

On June 13, 2018, Dixons Carphone plc disclosed that a review of their systems revealed unauthorized access to specific data managed by the company.

At that time, it was reported that 1.2 million records, which included non-financial personal information such as names, addresses, and email addresses, had been accessed. Additionally, there was an attempt to compromise approximately 5.9 million credit and debit cards. More information is available in the Dixons Carphone official statement.

On July 31, 2018, an update to the London Stock Exchange indicated that their investigation, which is nearing completion, revealed that around 10 million records containing personal data might have been accessed in 2017. The complete statement can be found here.

Perpetrators who acquire stolen personal data may use it to contact customers, attempting to manipulate them into divulging additional personal information, such as banking credentials.

The National Crime Agency (NCA) is now spearheading the UK law enforcement response to this data breach, with specialized officers from the National Cyber Crime Unit (NCCU) collaborating with the company to gather evidence. Given the complexity of these investigations, the process may take some time.

Please review the NCSC guidance below and take any measures deemed necessary.

Individuals who suspect they may have been victims of fraud or unauthorized data access should reach out to Action Fraud. They can utilize Action Fraud’s online reporting tool at any hour or contact them at 0300 123 2040. For additional details, please visit www.actionfraud.police.uk.

It is also advisable to remain cautious regarding any unusual activity in your bank accounts and to promptly report any concerns to your financial institution.

Regularly monitor your financial accounts online or via statements for any unusual activities, such as unrecognized transactions. If you identify anything suspicious, report it immediately to your service provider or Action Fraud.

Be particularly cautious of unsolicited emails, phone calls, or SMS messages requesting further personal information, particularly login details—especially those claiming to be from your bank or credit card company. Such scams can be quite convincing, and attackers may leverage your personal information to make their approaches appear more credible.

Reputable financial institutions will never ask you to respond to an email with personal information or account details. If you need to contact them, use a phone number or email address that you have independently verified instead of one provided in the email—this may be fraudulent. For more guidance, refer to the NCSC information on phishing risks after data breaches.

If you encounter a suspicious email, report it to your email provider. Likewise, report any dubious phone calls or SMS messages to Action Fraud.

You can readily access your credit rating online and should do so periodically, utilizing a trusted service provider and addressing any unexpected or questionable findings.

For your most critical accounts, consider employing two-factor authentication to enhance protection. Additional advice can be found in our Small Business Guide.

The NCSC website provides clear, actionable advice on how organizations can safeguard their bulk personal data from cyber threats – Protecting Bulk Personal Data.

Organizations may also wish to report any significant cyber incidents to the NCSC. If the incident appears to have national implications, we will strive to offer assistance, subject to available resources. National implications may include risks to national security, the economy, public trust, or public health and safety.

We also encourage you to notify us of incidents ‘for information’ that may be of interest, such as events that could enhance our understanding of adversary strategies, inform our guidance, or assist other organizations.