Dixons Carphone Receives Maximum Fine for Major Breach
A major UK high street retailer has been fined the maximum amount under the pre-GDPR data protection regime for deficiencies which led to a breach affecting 14 million customers.
Privacy regulator the Information Commissioner’s Office (ICO) fined DSG Retail £500,000 under the 1998 Data Protection Act after POS malware was installed on 5390 tills.
The incident affected Currys PC World and Dixons Travel stores between July 2017 and April 2018, allowing hackers to harvest data including customer names, postcodes, email addresses and failed credit checks from internal servers, over a nine-month period.
The “poor security arrangements” highlighted by the ICO included ineffective software patching, the absence of a local firewall, and lack of network segregation and routine security testing.
“Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen,” said ICO director of investigations, Steve Eckersley.
“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”
Eckersley claimed that the stolen data exposed customers to significant risk of follow-on identity fraud and financial theft, with almost 3300 of them contacting the ICO by March 2019 about the breach.
However, the retailer said it is considering an appeal.
“When we found the unauthorized access to data, we promptly launched an investigation, added extra security measures and contained the incident,” said CEO Alex Baldock in a statement.
“We duly notified regulators and the police and communicated with all our customers. We have no confirmed evidence of any customers suffering fraud or financial loss as a result.”
Another business in the group, Carphone Warehouse, was fined £400,000 by the ICO in 2018 for similar security issues.
Source: Information Security Magazine