Last week, UK electronics retailer Dixons Carphone revealed that a massive data breach had hit the company, with attackers accessing data on 5.9 million customer payment cards and an additional 1.2 million records that contained personal information, our sister site ZDNet reported.

The breach–one of the largest involving a UK company, announced just weeks after the implementation of GDPR–has tarnished the brand and led to a 24% drop in 2017-18 profits. Executives predict that profits will crash another 21% this year, according to Reuters.

“We’re certainly talking about a multi-year journey here,” Dixons Carphone chief executive Alex Baldock told Reuters. “At the end of that what we can point toward with some confidence is sustainable value significantly in excess of what we’re seeing at the moment.”

SEE: Incident response policy (Tech Pro Research)

The breach was discovered during a review of systems and data, according to a company statement. It began in July 2017, though it is unclear when it was found, ZDNet reported. While an investigation into the attack is ongoing, there is evidence that an attempt was made to compromise the 5.9 million payment cards through one of the processing systems of its Currys PC World and Dixons Travel stores, the statement noted.

There is currently “no evidence” that any fraudulent activity has taken place due to the breach, according to the statement. Card chip and pin protection should prevent 5.8 million of the cards from unauthorized use, the statement said, as pin codes and card verification values were not stored in the data.

However, some 105,000 non-EU issued payment cards, which do not have chip and pin protection, were also compromised, the statement said.

Dixons Carphone has notified all those impacted by the breach, according to the statement.

While the cause of the breach remains unknown, it’s worth noting that the company was created in 2014, after merging Dixons Retail (founded in 1937) and Carphone Warehouse (founded in 1989). It’s likely that both of the companies were running a host of legacy infrastructure that could have been unpatched or unprotected.

Updating legacy infrastructure to modern security standards is difficult, but worth the pain up front when companies consider the impact of a potential breach. The Dixons Carphone case demonstrates how important it is to take security seriously, and to take steps toward updating your infrastructure along the way, instead of waiting to a point where it is not feasible to make changes.

The big takeaways for tech leaders:

  • UK electronics retailer Dixons Carphone experienced a massive data breach, with attackers accessing 5.9 million customer payment card details and an additional 1.2 million records that contained personal information.
  • While the cause of the breach remains unknown, it’s worth noting that companies should update their legacy infrastructure to modern security standards.