Cyber criminals stole the personal and bank details of 2.4 million Dixons Carphone customers, the electronics retailer said on Saturday. Not exactly known for liking unpleasant surprises, investors sent shares in the firm down 0.8% this morning to 452.3p.
A major data breach must be pretty low down of the list of news a CEO wants to deliver, but Dixons Carphone boss Sebastian James gave it a good shot.
‘We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems,’ he said, adding that PC World, Curry’s and the vast majority of Dixons Carphone customers were unaffected. ‘We are, of course, informing anyone that may have been affected, and have put in place additional security measures.’
Apology – check. Action being taken – check. Reassurance that it won’t happen again – check. James did take some criticism for waiting three days to make the news public (the firm discovered the breach on Wednesday), but rushing into a statement without getting all the basic facts would have been a mistake. No one wants the answer to the question ‘how many people are affected?’ to be ‘I don’t know’.
Like an earthquake or a hurricane, the full impact of a cyber attack on a firm is hard to assess until the dust has settled. However, it seems unlikely Dixons Carphone will face a severe financial hit as a direct result of the breach.
Look at some of the big victims of cyber crime in recent years. Sony had plenty of egg on its face after embarrassing emails were published in the wake of its high profile hack last year, but it estimated the actual cost of investigating the breach and repairing IT systems to be only $35m (£22.4m).
That didn’t involve the theft of huge volumes of personal data, however. The data breach in the Japanese firm’s Playstation division in 2011, which did involve such data, was far more costly (approximately $171m), as was discount giant Target’s breach in late 2013.
In January this year, the American firm said costs from the incident, including litigation and compensation, had reached $162m after insurance payouts. That might sound pretty steep, but it followed the theft of 40 million customers’ data, in a far more litigious country. Unlike Dixons Carphone, it also crucially involved the significant theft of credit card numbers.
Dixons Carphone said credit card data for 90,000 customers may have been stolen, but that’s hardly in the same league. If anything, the greater damage to the British firm will be to its reputation. It’s perfectly understandable that customers could be deterred from giving their details (i.e. making purchases) to a company that couldn’t secure such information before.
However, this is also unlikely to translate into a longer term problem, unless the Information Commissioner's Office, which is investigating the breach, determines Dixons Carphone was somehow negligent – and there’s no reason so far to think that it was.
Otherwise, people will probably see it as just one of those things that can happen when shopping online. Dixons Carphone would in a sense be seen as another victim of the cyber criminals.
Both Sony and Target said they didn’t believe their data breaches would have a long term impact on earnings, and both companies – along with fellow hack victim Home Depot – saw their shares dip only to rise again to current levels well above the price before the hacks became public.
Investors are far more interested in underlying performance after all, and in that respect Dixons Carphone has been strong since the merger that formed it last year. However costly this breach ends up being, it’s unlikely to set the business back in a big way.