Who is this guidance for?
Customers of Dixons Carphone plc and its primary brands in the UK, Currys PC World and Carphone Warehouse, who the NCSC is working with to investigate a data breach.
On 13 June 2018, Dixons Carphone plc announced that a review of their systems and data had shown unauthorised access to certain data held by the company.
At the time, Dixons Carphone reported that 1.2m records containing non-financial personal data, such as name, address or email address, have also been accessed. There was also an attempt to compromise 5.9m credit and debit cards. Further details can be found in the Dixons Carphone statement.
On 31 July 2018 Dixons updated the London Stock Exchange to say that their investigation, which is now nearing completion, had identified that approximately 10 million records containing personal data may have been accessed in 2017. The full statement can be read here.
Attackers who have the stolen personal data may use it to approach customers, and trick them into revealing further personal information that attackers can use to harm you (for example, your banking login details).
The National Crime Agency (NCA) is now leading the UK law enforcement response to the data breach, with specialist officers from the National Cyber Crime Unit (NCCU) working with the company to secure evidence. Due to the complexity of these enquiries, the investigation will take some time.
What should I do?
Read through the NCSC advice below and take any appropriate steps.
Anyone concerned about fraud or lost data should contact Action Fraud. Action Fraud’s online fraud reporting tool any time of the day or night, or call 0300 123 2040. For further information visit www.actionfraud.police.uk.
We also recommend that people are vigilant against any suspicious activity on their bank accounts and contact their financial provider if they have concerns.
NCSC advice to customers
Monitor your financial accounts online or through statements for strange activity, such as transactions you do not recognise. If you do find something suspicious, report it immediately to your provider or Action Fraud.
Be particularly wary of unsolicited emails, phone calls or SMS messages asking you to disclose further personal details eg login information – especially if they claim to come from your bank/credit card provider. Such scams can be very convincing, and attackers may use your personal data to make them look even more realistic.
Genuine financial institutions will not ask you to reply to an email with personal information, or details about your account. If you contact them, use a phone number/email address you have looked up yourself, rather than one sent to you in the email – it may be false. For further information, look at NCSC guidance on the phishing threat following data breaches.
If you spot a suspicious email, report it to your chosen email provider. Report suspicious phone calls or SMS messages to Action Fraud.
You can check your credit rating quickly and easily online. You should do this every few months anyway, using a reputable service provider and following up on any unexpected or suspicious results.
For your most important accounts, consider using two-factor authentication to add an extra layer of protection. See the advice in our Small Business Guide.
NCSC advice to companies
The NCSC website sets out clear and actionable advice about how organisations can protect their bulk personal data from cyber attack - Protecting Bulk Personal Data.
You may also wish to report significant cyber incidents to the NCSC. If the incident is likely to have a national impact then we will seek to provide support, subject to resource constraints. National impact includes harm to national security, the economy, public confidence, or public health and safety.
We would also welcome notification of incidents ‘for information’ which you feel may be of interest, for example incidents which may contribute to our understanding of adversary activity, inform the guidance we provide, or help other organisations.