Millions more Dixons Carphone customers were affected by a data breach than the company first reported, it has emerged.
In June the company revealed that 5.9 million customer bank card details and 1.2 million personal data records had been hacked.
But today the company said its investigation had shown about 10 million records containing personal data had been accessed, making it one of the UK’s biggest breaches.
“Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017,” the company said in a statement.
The company said that while there was evidence some data had been stolen, the pilfered records “do not contain payment card or bank account details”.
The company said it was continuing to update the relevant authorities, and was advising customers on protective measures to prevent fraud.
“As a precaution, we are choosing to communicate to all of our customers to apologise and advise them of protective steps to minimise the risk of fraud. As we indicated previously, we have taken action to close off this access and have no evidence it is continuing,” the statement said.
Dixons, the retailer behind Currys, previously said that while 5.8 million of the payment cards targeted were protected by chip and pin, around 105,000 non-EU cards without chip and pin protection were compromised.
Dixons Carphone added that the relevant card companies had been notified, but said there was no evidence of fraud on the cards as a result of the incident.
Chief executive Alex Baldock said on Tuesday: “Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right.
“That’s included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today.”
Nonetheless, the new development is likely to damage confidence in the system.
Andy Norton, director of threat intelligence at Lastline, said: “Upon further investigation Dixons found that the breach was 10 times more severe than they originally thought.
“They also state that, as of today, there is no evidence to suggest fraud has arisen because of the breach. Unfortunately, given the accuracy of their previous statements, tomorrow may be a different story.”
Following the original announcement in June, the National Crime Agency said that it is working with the National Cyber Security Centre, the Financial Conduct Authority and the Information Commissioner’s Office (ICO) to “understand what’s happened”.
Consumer rights champion Which? tweeted: “It’s a good idea to be extra wary about any emails or phone calls you may receive related to the Dixons Carphone data breach. Unexpected events like this can be a magnet for scammers.”
Among some of the tips from moneysavingexpert.com in light of the hack are to regularly check accounts, watch out for scams and look out for guidance from Dixons.