What can we learn from the Dixons data breach that blew up after disclosure

European consumer electronics retailer Dixons Carphone’s apologetic admission yesterday that a 2017 data breach was in fact considerably worse than it first reported suggests disclosures of major breaches could get a bit more messy — at least under the early reign of the region’s tough new data protection framework, GDPR — as organizations scramble to comply with requirements to communicate serious breaches “without undue delay”.

Although, to be clear, it’s not the regulation that’s the problem. Dixons’ handling of this particular security incident has come in for sharp criticism — and is most certainly not a textbook example of how to proceed.

Dixons Carphone disclosed a breach of 5.9M payment cards and 1.2M customer records in mid June, saying it had discovered the unauthorized access to its systems during a security review.

However this week the company revised upwards the number of customer records affected — to around 10M. The breach itself occurred sometime last year.

“They are clearly concerned about regulatory enforcement but they seem completely unprepared to handle customer reactions. With privacy and security awareness increasing exponentially, it will not be long before we see customer churn, reputational damage, and further decrease in the value of the business as a result of such a poor response to a very large breach,” says Enza Iannopollo, a security expert at the analyst Forrester, responding to Dixon’s revised report of the security incident in a statement yesterday. 

The ballooning size of the Dixons breach is interesting in light of Europe’s strict new data protection regulation, which put the onus on data controllers to disclose breaches rapidly. Rather than — as has all-too-often been the case — sitting like broody hens waiting for the most opportune corporate moment to hatch a confession, yet leaving their users in the dark in the meanwhile, unwittingly shouldering all the risk.

In the case of this Dixons 2017 breach (NB: it’s not the only breach the Group has suffered), it’s not yet clear whether the EU’s new regulation will apply (given the incident was publicly disclosed after GDPR had come into force); or whether it will fall under the UK’s prior data protection regime — given the hack itself occurred prior to May 25, when GDPR came into force.

A spokesperson for the UK’s Information Commissioner’s Office (ICO) told us: “Our investigation has not yet concluded which data protection law applies in this case — DPA98 or the GDPR.”

While the UK’s Data Protection Act 1998 encouraged data controllers to disclose serious data breaches, the EU’s General Data Protection Regulation (transposed into national law in the UK via the DPA 2018) goes much further, putting in place a universal obligation to report serious breaches of personal data within 72 hours of becoming aware of an incident. And of course this means not just personal data that’s been actually confirmed as lost or stolen but also when a security incident entails the risk of unauthorized access to customer data.

The exception to ‘undue delay within 72 hours’ is where a personal data breach is “unlikely to result in a risk to the rights and freedoms of natural persons”. Which, while it’s clear that not every breach will require disclosure (say for example if personal data was robustly encrypted a company may deem it unnecessary to disclose a breach), is a caveat that still sets a pretty low disclosure bar. At least where a breach entails a risk of personal information being extracted from compromised data. (Which is yet another reason why strong encryption is good for everyone.)

Certainly, any companies discovering a breach that puts their customers at risk, and which took place on or after May 25, 2018, but which then decide to ‘do an Uber’ — i.e. sit on it for the best part of a year before ‘fessing up — will put themselves squarely in EU regulators’ crosshairs for an equally major penalty. (GDPR has supersized fines for data violations — and therefore also something that the bloc’s DP law has sorely lacked for years: Teeth to encourage compliance.)

If a breach is likely to result in a “high risk of adversely affecting individuals’ rights and freedoms” the regulation also urges data controllers to communicate the incident to the people affected — and do so without “undue delay”.

Dixons said in June that it was contacting “those whose non-financial personal data was accessed to inform them, to apologise, and to give them advice on any protective steps they should take”. But at that time it only thought 1.2M people had been affected.

More than a month later it now puts the number of records swiped at ~10M — and yet is only now contacting the millions more customers whose data was also compromised last year.

Clearly, this is not a good look. Customers who got faux reassurance in June, when the company did not write to them to warn them their data was at risk, will feel rightly angry about any delay in communicating with them.

It will be up to the UK’s data protection watchdog to decide whether Dixons’ security practices and response to the breach of its systems meets the standards it expects from data controllers. And a lot will depend upon whether the incident falls under the DPA98, which encourages discloses of serious breaches but does not legally require them to deadline, vs GDPR which absolutely does.

The maximum possible penalties under the two regimes are also very different: With the ICO capable of issuing a maximum fine of just £500k under the DPA98 (it recently announced it would be issuing a fine of this size to Facebook, for instance, for data misuse related to the Cambridge Analytica incident — which took place in 2014); and up to €20M (or 4% of the total worldwide annual turnover of the preceding financial year) under GDPR.

For a sense of what a GDPR level fine would mean for Dixons Carphone, the company’s 2017/18 revenue is around £10.5BN so — if GDPR were indeed to apply — it would be facing a maximum possible penalty of £420M. Which would surely get the shareholders talking.

But Iannopollo argues it’s not even the risk of major financial penalties that companies are most worried about when it comes to GDPR compliance — rather it’s damage to their reputation and to customer trust that’s really making them sweat.

In a recent Forrester survey, asking companies about their biggest concerns vis-a-vis the consequences of failure to comply with the regulation, Iannopollo says the main worries reported to it were loss of customer trust and reputational damage, followed by regulatory enforcement — with fines coming lower down the list.

“It’s interesting the point about regulatory enforcement — I remember working with a number of banks and actually they were very worried about enforcement action,” she adds. “You don’t want a regulator to impose on you a specific process to handle data. You don’t want a regulator to impose on you a limitation on some processing activities. And they understand that the effect of such an enforcement action can probably be even more detrimental than a fine in some ways.”

Whatever the particular driver, security must now be front of mind for any (well run) organization routinely handling the personal data of EU people. Because the risks for screwing up are getting real.

It’s also clear that consumers are waking up to the fact their personal information is at risk — doubtless in large part because of how poorly their data has been protected before now — and also waking up to the fact they have enhanced data rights they can exercise to help manage and shrink their personal risk.

“Probably the biggest push to GDPR enforcement is coming from customers themselves, both end users and business customers,” says Iannopollo.

Discussing Dixons’ breach response, she is very critical of the company’s lack of customer focus in its public comments. “I saw a lot of emphasis around whether the breach happened before GDPR — so hoping that there was not this standard. And also there was something else that was said about ‘there is no evidence that our customers suffered any financial loss’ as a result of the breach. And again it’s interesting because until a few days ago they didn’t even know the breadth of the breach and now they are saying there wasn’t a financial loss so we’re not prepared to provide compensation. This is not exactly what we see as a constructive way to tackle the breach and help your customers figure out how they can be safe even if you lost their data,” she says.

“In the UK customers can ask for compensation even if they have emotional distress as a result of a breach — there is a potential to develop class action for the mishandling of customer data,” she adds. “And also they said well we are now finally sending some letters to our customers to try and explain what happened — well it’s way too late. Your customers are already very worried. There is no way this company can now show in any way the customers that they have competency over what happened because clearly we all doubt that actually there is some competency there. And actually I don’t think that they are showing there is a remediation strategy in place for their customers.

“All they did was to say that we don’t have any evidence of financial losses so we are not ready to compensate. Are you really taking care of your customers in this instance? Are you really showing that there is a commitment to make sure that they still feel that you are responsible for their data, doing your best to protect this data? I don’t think so. The executive team were involved but I don’t think they were doing really a good job from their customer sentiment and customer trust point of view.”

In its statement yesterday, the company’s CEO Alex Baldock said he was “disappointed in having fallen short” — and apologized “for any distress we’ve caused our customers”, adding that the company is “fully committed” to safeguarding customers’ personal data.

A month earlier, when the company disclosed a much smaller sized breach, he had said: “We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here.”

Does Iannopollo believe GDPR’s breach disclosure requirements could lead to more disclosures that similarly inflate in size after the fact — i.e. because an initial disclosure put out to hit the GDPR 72-hour disclosure window gets revised upwards later — at least in the short term, as companies that perhaps have not yet doubled down on their security investments, let alone rearchitected any data processes, are caught on the hop?

“It remains a technical challenge to understand what happened, quantify the number of records that were lost — so all that forensics work and the classic incident response immediately after you discover the breach cannot necessarily provide a full answer, a full picture immediately after — so definitely there is a part of that [that] is a genuine delay. And the regulation accounts for this,” she replies on that.

“Regulators do expect organizations to do a first disclosure, but also they give an opportunity to organizations to come back and provide additional details as they become available. Again it’s very genuine, the idea here — it’s not a strategy to avoid a potential fine; the regulator understands companies might need more time.”

We asked the ICO how it’s likely to respond to breach reports that are revised upwards a considerable time after the initial disclosure (such as one month+ in Dixons’ case).

A spokeswoman for the watchdog told us the regulation does allow for phased breach reporting, as more information is uncovered during an investigation. However she also emphasized that it expects the investigation to be prioritized — so, again, that there be no additional “undue” delays in any follow-on disclosures.

In general terms the GDPR’s rules around personal data breach reporting recognize that it will not always be possible to investigate a breach fully within 72 hours to understand exactly what has happened and what needs to be done to mitigate it. So Article 34(4) allows organizations to provide the required information in phases, as long as this is done without undue further delay,” the ICO told us. 

“However, we expect controllers to prioritise the investigation, give it adequate resources, and expedite it urgently. They must still notify us of the breach when they become aware of it, and submit further information as soon as possible. If they know they won’t be able to provide full details within 72 hours, it is a good idea to explain the delay to us and tell us when to expect more information.”

The watchdog has more guidance on how data controllers should handle breach disclosures here.

Iannopollo reckons organizations won’t (or shouldn’t) struggle to make a breach disclosure to their regulator within the GDPR timeframe — pointing to rising numbers of reports being made to DPAs in the wake of GDPR coming into force. (Late last month Ireland’s Data Protection Commission said it had received more than 1,100 reports of data breaches since May 25 vs an average of just 230 prior to GDPR, for instance.)

What she argues is more challenging for organizations to get right is not to lose sight of the impact of a breach on your users/customers — in the midst of needing to make (awkward) public pronouncements and communicate with those affected by the incident.

“You might feel that as an organization you want just to undermine the kind of breach that you have suffered, you may say that the less people were involved the less records were involved, but the point is that if you are the one communicating to the affected customers in the very first place, and you have an opportunity to explain to them what happened, and to explain in which way you are taking care of them and their data even after the breach, then you have an opportunity to manage their response in a way that doesn’t destroy the trust that your customers have in you,” she says.

“If you instead decide to go very small, and say ‘well nothing really happened’, and you do what [Dixons did] and say, well it’s about 1M and then we discover that actually it’s 10M records that they lost, at that point you have lost your opportunity to manage the breach with your customers because it means that they might realize that they were part of the data breach — they might be affected… without the business being in touch with them… So this is really the risk. So whatever they can do to have a full picture of what happened, as soon as possible, that will help them managing their response of the breach… with your customers so that — hopefully — it doesn’t become a breach of trust.”

“A breach of trust has consequences that are well beyond a fine,” she adds. “The challenge to me is really communicating to the public, communicating to customers — this is something that for European customers this is something new. We are not used to receive these sorts of communication.

“And what I see from the data that we have is customers that are really becoming much more aware of these sorts of incidents, what it means for them, and they know that they have rights when it comes to privacy. And it’s not just compensation — it’s ‘I want to get control over my data and I expect a business to respect these sorts of rights that I have and to be able to give me that control over my data’.

“The incident response team cannot be just a technical team or a legal team, it has to be marketing team, PR, it has to be the executive team. You need to have a plan about what we say to these customers, which is the remediation that we offer — is it going to be credit monitoring, identity protection… are we setting up a call center to be able to respond to questions if there are questions from customers.”

Of course GDPR also puts strong emphasis on practices that should — in theory — minimize the chances of risky data breaches happening in the first place, because the law now encourages good practices like data minimization, privacy by design, and indeed investment in strong security.

So, over the longer term, the theory is that data controllers’ priorities and processes will be re-worked in a way that makes data breaches — if not as rare as hens’ teeth then (hopefully) a whole lot less common than they’ve become in recent years, when another major breach has seemingly hit the headlines every few weeks.

But Iannopollo is under no illusions that that sort of transformational shift will happen overnight.

“Ideally we would see that. That would be the best outcome,” she says, discussing the possibility of GDPR leading to fewer data breaches in future, if it’s successful in transforming attitudes and approaches to data processing and security across multiple industries and sectors. “There is no question that GDPR has driven a lot of investment into specific security technologies… Many companies have made improvements… in terms of the controls that they are using.

“Hopefully also they’ve thought about the processes that underpins the deployment of these technologies. The changes around data minimization, the management around third parties, the ability to build data architectures that are really flexible and transparent in the same way — it will take some time.”

She also says there are companies now starting to offer managed services to help organizations respond effectively at the point of a breach disclosure — such as by supplying additional call center resource. So there are startup opportunities there.

GDPR triggering a comprehensive reorganization of organizations’ data processing is certainly “not the rule” yet though. “What we have seen is more organizations backing one or two requirements — heavily relying on technology, as much as they could, but not taking enough time to think about changes to their governance, and the processes and also people skills, as an element of compliance with GDPR,” she adds.

“So, again, ideally — and for those organizations that really have taken this comprehensive approach — we might see those results in the medium term: A decrease of these sorts of incidents, and better discipline around data handling practices. But the reality is that many organizations have just taken this very piecemeal approach to GDPR. So for that sort of overall outcome we will need to wait some time to see.”

The strength of the regulation’s impact will depend most on two things: How much push there is below, i.e from users and customers — so how people feel; what they say; and via specific legal redress actions they could choose to take, such as class action style actions seeking compensation.

And also of course on the regulatory enforcement — when that lands.

That all important piece of the compliance puzzle remains to be seen, given we’re only in the first months after GDPR came into force — when regulators are likely allowing organizations a bit of time to get their compliance ducks in order.

How DPAs ultimately respond to all the extra complaints they’re getting will be very important in setting the tone of the new regime because it will end up shaping data controllers’ perception of and response to GDPR.

Rules without enforcement quickly stop being worth the paper they’re written on. And a watchdog that barks but doesn’t bite will soon get treated like a pet.

However, given EU consumers are increasingly aware and even active when it comes to their data rights, it would be a major misstep if the region’s regulators fell short by failing to listen to rising concerns.

In the meanwhile, it’s likely there will be a period where information about data breaches gets a bit more dynamic — with news of a breach emerging with less delay than it might have, prior to GDPR, but perhaps also with a greater possibility that an initial disclosure does not paint the full picture because an investigation is still in train. So, in short, compliance, like security, is an ongoing process.