A Dixons Carphone subsidiary has been fined £500,000 after point-of-sale computers in Currys PC World and Dixons Travel shops were attacked in a cyber-attack that affected millions of customers. The Information Commissioner’s Office (ICO), imposing the fine, warned that while it had fined DSG Retail the maximum under the legislation that was then in force, it would have been “much higher” under the new GDPR laws.
The personal data of at least 14m people – including full names, postcodes, email addresses, failed credit check information, and the details of 5.6m payment cards that had been used in transactions – was collected over the course of nine months running up to April 2018. An attacker had installed malware on 5,390 tills at the store.
This comes two years after the ICO fined Carphone Warehouse, part of the same group, £400,000 for similar security failings. In the case of Currys PC World and Dixons Travel the ICO identified vulnerabilities including inadequate software patching, absence of a local firewall, lack of network segregation and routine security testing.
Between June 2018 and November 2018, 158 Dixons Retail customers contacted the ICO to complain, while nearly 3,300 had done so by March 2019.
Steve Eckersley, ICO director of investigations, said: “Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.
“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”
Alex Baldock, chief executive of Dixons Carphone, said: “We are very sorry for any inconvenience this historic incident caused to our customers. When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident. We duly notified regulators and the police and communicated with all our customers. We have no confirmed evidence of any customers suffering fraud or financial loss as a result.
“We have upgraded our detection and response capabilities and, as the ICO acknowledges, we have made significant investment in our Information Security systems and processes.
“We are disappointed in some of the ICO’s key findings which we have previously challenged and continue to dispute. We’re studying their conclusions in detail and considering our grounds for appeal.”
In light of the event, the Information Commissioner’s Office has reminded organisations of the importance of properly protecting their systems and personal data.
Eckersley said: “Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud.
“We recognise that cyber-attacks are becoming more frequent, but organisations have responsibilities under the law to take serious security steps to protect systems, and most importantly, people’s personal data.”
Commenting, Susan Hall, partner and head of technology at law firm Clarke Willmott, said: “As payment card details are involved in this data breach, in addition to other personal information, it is likely that the fine by the ICO will be the tip of the iceberg for Dixons Carphone. Businesses’ handling of payment card data is subject to the Payment Card Industry Data Security Standard (PCI DSS) and failure to comply with PCI DSS can give rise to a range of sanctions, including both financial sanctions and procedural requirements, such as a forensic audit (at the non-compliant business’ cost).
“The fine also paves the way for action to be taken by anyone who has suffered loss as a result of the breach.
“The size of the fine is of interest as it is only the second time that the ICO has imposed the maximum £500,000 limit for historical, pre-GDPR offences. As both of these fines have been levied after the introduction of GDPR in May 2018 it appears to be an example of ‘fine inflation’ where the baseline gradually creeps up, possibly as a result of the significantly higher fines that would have been available if the breaches had happened after GDPR had come into force.”
Currys PC World is a Leading retailer in IRUK Top500 research, while Carphone Warehouse is Top50.
Image: InternetRetailing Media/Paul Skeldon