Dixons Carphone data breach timeline

stack of credit cards on a laptop keyboard
Share on facebook
Share on twitter
Share on linkedin

In January 2020, Dixons Carphone was fined half a million pounds for failing to protect its customers’ personal data. The Dixons Carphone Warehouse data breach resulted in 10 million customer records being accessed from Currys PC World and Dixons Travel stores.

The details stolen by the cybercriminals included names, home addresses, phone numbers, dates of birth and email addresses. The hackers also got access to the records of 5.9 million payments cards. All these details can be used by cybercriminals to commit further crimes.

But where are we up to in this case? And what has happened so far?

July 2017 to April 2018
An attacker installed malicious software on 5,390 tills in branches of Currys PC World and Dixons Travel chains. During this period, the vulnerability went undetected, and hackers were able to access a huge amount of personal data.
5 April 2018
Dixons became aware of the data breach. In the following days, the company commissioned a specialist security response team to investigate the incident. At this stage, Dixons Carphone was unable to definitively state what data, or how much data, was exfiltrated.
8 June 2018
Dixons Carphone first notified the Information Commissioner’s Office (ICO) that it had suffered a cyber-attack. At this stage Dixons admitted that 5.9 million credit card numbers and 1.2 million records containing non-financial personal data had been accessed.
13 June 2018
Dixons Carphone updated the ICO with more details about the breach. In view of the number of individuals affected, and as the compromised data included payment card data, the ICO subsequently launched an investigation.
July 2018
Dixons Carphone revealed that 10 million customer records may have been accessed in the cyber-attack. That is ten times more people than the retailer first thought.
January 9, 2020
The ICO fined Dixons Carphone £500000. According to the ICO: “The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”

The ICO investigation

The ICO investigation found:

  • systemic failures in the way DSG Retail Limited safeguarded personal data
  • failures relating to basic, commonplace security measures
  • a complete disregard for the customers whose personal information was stolen.

Following the ICO’s fine, we launched a Dixons Carphone data breach claim

If you were a customer/potential customer of Dixons Retail Group (DRG) – which includes Currys PC World and Dixons Travel stores – between 2015 and 2018 it is likely you were affected by this breach. You could be affected if you bought a product outright or on finance, attempted to buy a product on finance but were refused, or if you took a support product or warranty out with DRG in that time.

At Keller Lenkner UK, we have launched a group action claim against DRG. Group actions can be a powerful tool and can have a bigger impact than a single claim.


We can take on your claim on a no-win, no-fee basis, so you have nothing to lose.


Register to become part of our Dixons Data Breach group action. 

Share this article:

Share on facebook
Share on twitter
Share on linkedin