NCSC advice for Dixons Carphone plc customers

On June 13, 2018, Dixons Carphone plc revealed that a systems and data review had detected unauthorized access to specific data within the company.

At that time, the company disclosed that around 1.2 million records containing non-financial personal information, including names, addresses, and email addresses, had been accessed. There was also an attempt to breach 5.9 million credit and debit card records. Additional details are available in the Dixons Carphone statement.

On July 31, 2018, Dixons provided an update to the London Stock Exchange indicating that their nearly completed investigation found that approximately 10 million records with personal data may have been compromised in 2017. You can read the full statement here.

Those who have acquired the stolen personal data may exploit it to contact the affected customers and deceive them into disclosing more personal information, such as banking login credentials.

The National Crime Agency (NCA) is currently spearheading the law enforcement response to the data breach, with specialized officers from the National Cyber Crime Unit (NCCU) partnering with the company to gather evidence. Given the intricate nature of the investigations, it will take some time to complete.

Please review the following NCSC advice and take the necessary actions.

If you have concerns about potential fraud or lost data, reach out to Action Fraud. You can use their online fraud reporting tool at any time or call 0300 123 2040. For more details, visit www.actionfraud.police.uk.

It is also advisable to remain alert for any unusual activities in your bank accounts and to contact your financial institution if you have any concerns.

Regularly check your financial accounts online or via bank statements for any unfamiliar activities, such as transactions that seem suspicious. If you identify any anomalies, report them to your provider or Action Fraud right away.

Be cautious of unsolicited emails, phone calls, or SMS texts requesting further personal details, such as login credentials, particularly if they claim to be from your bank or credit card provider. These scams can appear highly convincing, and cybercriminals might leverage your personal data to enhance their credibility.

Legitimate financial institutions will never ask you to share personal information or account details through email. If you need to contact them, use a phone number or email address that you find independently, rather than one provided in a suspicious email.

If you come across a dubious email, report it to your email provider. Report any suspicious phone calls or SMS messages to Action Fraud.

You can easily check your credit score online. It is wise to perform this check every few months using a reputable service provider and to follow up on any unexpected findings.

For your most critical accounts, consider implementing two-factor authentication to provide an additional layer of security. See our Small Business Guide for more information.

The NCSC website offers clear and actionable guidelines on how organizations can safeguard their bulk personal data against cyber attacks – Protecting Bulk Personal Data.

You may also want to report significant cyber incidents to the NCSC. If an incident has the potential for national impact, we will strive to provide assistance, subject to resource availability. National impact could include threats to national security, the economy, public confidence, or public health and safety.

We encourage notification of incidents that may be of interest “for information,” particularly those that could enhance our understanding of adversary behavior, inform the guidance we provide, or benefit other organizations.