Dixons Carphone fined £500k over data loss
10 Jan 2020
DSG Retail Ltd, a subsidiary of Dixons Carphone, has been hit with a £500,000 fine, the maximum possible over a data breach
10 Jan 2020
The fine was issued by the Information Commissioner’s Office (ICO) after a point of sale computer system was compromised as a result of a cyber attack, affecting at least 14m people.
Steve Eckersley, ICO’s director of investigations, said: ‘Our investigation found systemic failures in the way DSG Retail Ltd safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.
‘The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR [General Data Protection Regulation].’
The investigation found that an attacker installed malware on 5,390 tills at DSG’s Currys PC World and Dixons Travel stores between July 2017 and April 2018, collecting personal data during the nine-month period before the attack was detected.
The company’s failure to secure the system allowed unauthorised access to 5.6m payment card details used in transactions and the personal information of approximately 14m people, including full names, postcodes, email addresses and failed credit checks from internal servers.
DSG was found to have breached the Data Protection Act 1998 by having poor security arrangements and failing to take adequate steps to protect personal data.
This included vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing.
The investigation found the POS terminals were a Java-based client-server application running a version of Java which was eight years out of date and did not support point-to-point encryption.
In January 2018, the ICO fined Carphone Warehouse, which is part of the same company group, £400,000 for similar security vulnerabilities.
The ICO received 158 complaints between June 2018 and November 2018 from DSG’s customers. As of March 2019, the company reported that nearly 3,300 customers had contacted them directly in relation to this data breach.
Eckersley said: ‘Organisations have responsibilities under the law to take serious security steps to protect systems, and most importantly, people’s personal data.’
Alex Baldock, Dixons Carphone chief executive, said: ‘We are very sorry for any inconvenience this historic incident caused to our customers. When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident.
‘We duly notified regulators and the police and communicated with all our customers. We have no confirmed evidence of any customers suffering fraud or financial loss as a result.
‘We have upgraded our detection and response capabilities and, as the ICO acknowledges, we have made significant investment in our information security systems and processes.
‘We are disappointed in some of the ICO's key findings which we have previously challenged and continue to dispute. We're studying their conclusions in detail and considering our grounds for appeal.’
GDPR came into effect in May 2018 and strengthened the ICO penalty regime, allowing for fines of up to 4% of an organisation’s annual global turnover.
Last summer, British Airways was fined £183m for a customer data breach, while the Marriott hotel group was given a £99m penalty for its data failures.