Dixons Carphone: Lessons from the First High Profile GDPR Data Breach

So, it hasn’t been long since the introduction of GPDR, and we’ve already seen the first high profile breach of the new data protection laws with Dixons Carphone.

The multi-billion-dollar organization revealed that they suffered a cyber-security breach that involved the personal data of over a million customer records. The data included personally identifiable information (PII), including names, addresses and email addresses. The breach also related to PCI compliance as it involved the details of almost 6 million payment cards. To be fair to Dixons Carphone, they responded exactly how they should; notifying the ICO and all the affected individuals.

Under the new GDPR regulations, the ICO must be notified within 72 hours of the breach taking place. At the moment, it is unclear when the initial breach took place and how long it took for Dixons Carphone to find out and report it. At any rate, the ICO is currently investigating and we will find out whether the potential full €20 million fine will be issued. It’s fair to say that all eyes are on the ICO at this time to see what action they will take.

Dixons Carphone are already in hot water with the ICO as Carphone Warehouse (a division of the company) were the victims of a similarly large cyber-attack back in January and was subsequently fined £400,000.

So, what lessons can we learn from this GDPR breach?

Educate Staff on their GDPR Responsibilities

All members of staff in your organization have responsibilities where personal data and GDPR is concerned. They need to know what is required of them and what steps they need to take if they do discover a data breach. In a broader sense, it’s worth educating your staff on the value of data and the importance of ensuring it is treated with care. This should help you prevent getting into a similar scenario as Dixons Carphone.

Review How You’re Protecting Personal Data

GDPR requires you to ensure that you are taking proactive and continuous steps towards the protection of personally identifiable information. You should introduce a solution into your environment that allows you to track, monitor and alert on changes taking place in your critical servers and to your sensitive data. A change auditing solution, such as Lepide Data Security Platform, will enable you to do this continuously and receive real time alerts on critical changes related to GDPR.

Keep a Log of Changes and Potential Breaches

The ICO require that you keep logs of all potential data breaches involving personal data, even if those potential breaches do not actually require reporting to the ICO itself. You can do this manually by sorting through event logs in the Event Viewer, but this takes time and it can be difficult to determine the context of the events from the event logs themselves. There are many change auditing solutions that aggregate these logs and present them into meaningful reports that can be scheduled at regular intervals. This should help you both determine when a potential data breach is taking place and keep a record of all changes occurring to your business-critical servers and data.

Ensure You Are Ready to Report Breaches

You’re going to need to have a policy in place should the worst happen, and you need to report a breach to the ICO. Make sure all members of staff involved in the process are aware of what they need to do in the event of a breach. Also, be sure not to forget that you also need a process in place to promptly inform those individuals whose personal data has been compromised.

There are many other lessons we can learn from this breach but perhaps the most important thing to remember is that GDPR is here, it’s real and companies need to take it seriously. I would not be surprised if Dixons Carphone receive a severe financial punishment as a result of this breach, if only as a message to the ICO.