The ICO has fined Dixons Carphone (also known as DSG Retail), the parent company behind electronics retailers Currys PC World and Dixons Travel, £500,000 over a data breach affecting its point of sale (PoS) systems that affected millions of customers between July 2017 and April 2018.
The attack saw cyber criminals install malware on nearly 5,400 tills in Currys PC World and Dixons Travel stores, which enabled unauthorised access to 5.6 million payment card details used in transactions, and the personal information of 14 million customers, including their full names, postcodes, email addresses and information on failed credit card checks.
The ICO’s investigation found the retailer was in breach of the Data Protection Act of 1998 by having poor security arrangements – including failure to patch software systems, failure to install firewalls, a lack of network segregation, a lack of routine security testing, and failure to adequately protect personal data.
Because the incident took place before the EU’s General Data Protection Regulation (GDPR) came into force, the scale of the fine is far lower than it would otherwise be. GDPR provides for fines of up to £17m or 4% of global turnover.
“Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen,” said ICO investigations director Steve Eckersley.
“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation. Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud.
“We recognise that cyber attacks are becoming more frequent, but organisations have responsibilities under the law to take serious security steps to protect systems, and, most importantly, people’s personal data,” he said.
The ICO said it judged that the range of compromised data points would “significantly affect individuals’ privacy, leaving affected customers vulnerable to financial theft and identity fraud”. It revealed that it had received a total of 158 complaints from Dixons Carphone customers who had been affected by the breach and added that many more contacted the retailer directly.
This is the second time in two years that the ICO has taken action against retailers in the Dixons Carphone group. In 2018, it levied penalties of £400,000 on Carphone Warehouse for a 2015 breach that affected 2.4 million customers. The company was also rapped on the knuckles in August 2010, when a number of completed and signed customer credit card agreements were found in a skip outside a PC World store.
Dixons Carphone chief executive, Alex Baldock, said: “We are very sorry for any inconvenience this historic incident caused to our customers. When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident. We duly notified regulators and the police and communicated with all our customers. We have no confirmed evidence of any customers suffering fraud or financial loss as a result.
“We have upgraded our detection and response capabilities and, as the ICO acknowledges, we have made significant investment in our information security systems and processes.
“We are disappointed in some of the ICO’s key findings which we have previously challenged and continue to dispute. We’re studying their conclusions in detail and considering our grounds for appeal,” said Baldock.