Homewares chain Robert Dyas hit by data breach

The business, which operates online and in 93 stores across the Midlands and south of England, has admitted that sensitive customer data including bank card details, cardholder names and billing addresses was accessed between 7 March 2020 and 30 March 2020 . 

Reports suggest that the business’s website was targeted by ‘card skimming’ software which collected customers’ bank details through their online purchases on the Robert Dyas website. 

A company spokesman has confirmed that ‘long’ card numbers and security (CVV) codes were collected which would appear to expose affected customers to the risk of fraudulent transactions being processed with their bank details. 

Robert Dyas has published further information. It advises that its website security team took steps to close the vulnerability when it was identified and has informed affected customers by email. 

All customers are advised to contact their bank or credit card providers “as a precaution” and any customers who believe they are a victim of fraudulent activity are advised to contact their bank immediately and report the incident to Action Fraud. 

Robert Dyas has also committed to reimburse customers, “for any fraudulent activity on their accounts as a direct result of the data theft”, and that they will provide details of the process of this in “due course”.

Sean Humber, partner at Leigh Day and specialist in Data Protection and Privacy claims commented:

“This is yet another serious incident affecting a business which is trusted by thousands of customers to safely and securely process online purchases. The combination of data that has been accessed is particularly worrying, and Robert Dyas appear to accept themselves that there is a significant risk that those affected will be targeted by fraudsters.

“In the short term, we reiterate the advice that anyone affected should contact their bank or card provider for advice about how best to protect themselves. If you do suspect you have been the victim of fraud this can be reported to Action Fraud”. 

Gene Matthews, also partner at Leigh Day with expertise in Data Protection and Privacy claims added: 

“Looking further ahead, it is right that Robert Dyas has already reported this matter to the Information Commissioner. To ensure that lessons are learned, and customers are protected in the future, relevant findings must be published as soon as they are available.

“Robert Dyas’ commitment to reimburse any customers who are left out of pocket as a result of this situation is to be welcomed. However, a number of customers will have been significantly inconvenienced by this data breach and, unfortunately, our experience in dealing with data breach matters shows us that not all customers are carefully reviewing their debit/ credit card statements for unusual activity.  

“The affected customers face the prospect of fraudulent activity taking place in the future (unless their card details have already been changed). Customers rightly expect their personal information to be properly protected, and where this has not been the case they may be entitled to compensation for the stress, worry and any additional financial losses caused.”

If you believe you have been affected by the above matter and would like to explore your legal options please contact our legal team at postbox@leighday.co.uk or call 020 7650 1200.