trending Market Intelligence /marketintelligence/en/news-insights/trending/yH-rwOjqFXhRaE_eHXBa6w2 content
Log in to other products

Login to Market Intelligence Platform

 /


Looking for more?

Contact Us

Request a Demo

You're one step closer to unlocking our suite of comprehensive and robust tools.

Fill out the form so we can connect you to the right person.

If your company has a current subscription with S&P Global Market Intelligence, you can register as a new user for access to the platform(s) covered by your license at Market Intelligence platform or S&P Capital IQ.

  • First Name*
  • Last Name*
  • Business Email *
  • Phone *
  • Company Name *
  • City *
  • We generated a verification code for you

  • Enter verification Code here*

* Required

Thank you for your interest in S&P Global Market Intelligence! We noticed you've identified yourself as a student. Through existing partnerships with academic institutions around the globe, it's likely you already have access to our resources. Please contact your professors, library, or administrative staff to receive your student login.

At this time we are unable to offer free trials or product demonstrations directly to students. If you discover that our solutions are not available to you, we encourage you to advocate at your university for a best-in-class learning experience that will help you long after you've completed your degree. We apologize for any inconvenience this may cause.

In This List

Data breach at UK retailer could cost more than £50M, cyber insurance exec says

Infrastructure Issues: Tools to Dig Deep on Potential Risks

Gauging Supply Chain Risk In Volatile Times

Part Two IFRS 9 Blog Series: The Need to Upgrade Analytical Tools

S&P Global Market Intelligence

Cannabis: Hashing Out a Budding Industry


Data breach at UK retailer could cost more than £50M, cyber insurance exec says

The cost of U.K. electronics retailer Dixons Carphone PLC's data breach, in which hackers tried to access data on 5.9 million payment cards, could "easily exceed" £50 million, not including a fine that could exceed more than £400 million under the EU's new data protection regime, according to a cyber insurance specialist.

Graeme Newman, chief innovation officer of specialist technology underwriting agency CFC Underwriting Ltd., said the costs would be covered by a standard cyber insurance policy and the loss to insurers, if Dixons Carphone has insurance, "would not make a dent in the cyber market." But Lloyd's of London insurer Beazley PLC's international breach response manager, Raf Sanchez, noted that the increase in claims since the May 25 introduction of Europe's General Data Protection Regulation could make insurers more selective about the companies they cover.

"Considering we have had a significant uptick in reported incidents since GDPR and therefore the risk profile is definitely higher, I think insurers will have to become a bit more circumspect or careful about who they are insuring," Sanchez said.

Dixons Carphone, which operates the Carphone Warehouse and Currys PC World chains, said June 13 that in addition to attempts to access the payment card data stored on its systems, 1.2 million records containing nonfinancial personal data such as names, addresses and email addresses had also been accessed. Dixons Carphone has cyber insurance, but the company declined to provide details about the cover or whether it would make a claim when contacted by S&P Global Market Intelligence.

Counting the cost

The company will likely have to pay the costs of initial investigations and fixes, Newman said, but far more expensive could be the tab for notifying the 5.9 million cardholders and potentially having to pay for the reissue of their cards. Notification could cost between £3 and £5 per person, depending on the method, while reissuing chip and PIN cards could cost between £4 and £7 apiece, he estimated.

On top of this, Dixons Carphone could face a fine from the U.K. data regulator, the Information Commissioner's Office. Under GDPR, there are two levels of fine for noncompliance: €10 million or 2% of turnover, whichever is higher, and the higher of €20 million and 4% of turnover.

The biggest possible penalty would cost Dixons Carphone £423.2 million, based on its 2016/2017 revenue of £10.58 billion, although Newman said a penalty on this scale would be "exceptionally unlikely" because he expects the ICO to reserve the top fines for the worst type of breaches.

"The most egregious examples are unlikely to be ones where a business has been a victim of cybercrime," he said. "The most egregious examples are generally going to be where businesses have knowingly and willfully collected, harvested, shared and sold data that they shouldn't have."

Gray area

Data breach fines could also be included under cyber insurance policies. Paul Dickson, CEO of specialist technology insurance broker Innovation Broking, said whether fines are covered is "a bit of a gray area," but that insurers would most likely offer cover where it is not expressly forbidden by law.

"The fact that it may be, arguably, against implied public policy doesn't prevent insurers offering cover," he said. "Insurers tend to play follow-the-leader so if one takes a chance and says: 'Yes we'll cover fines so long as not uninsurable by law,' the rest, however reluctantly — and it is in some cases — will follow along."

Dixons Carphone said that of the 5.9 million cards, 5.8 million have chip and PIN protection and that the accessed data "contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made." It also said it had found "no evidence of any fraud" on the roughly 105,000 cards without chip and PIN that had been compromised.

On the 1.2 million nonfinancial records that were breached, Dixons Carphone said it had no evidence that the information had left its systems or resulted in any fraud "at this stage."