Point-of-sale computers in Currys PC World and Dixons Travel shops suffered a cyber-attack affecting 14million customers.
The Information Commissioner’s Office (ICO), imposed the maximum £500,000 fine to DSG Retail Limited (DSG) under the previous data protection legislation (Data Protection Act 1998), which was in force when the incident occurred. However, they warned that the fine would have been much higher under the GDPR laws which carry penalties of up to £17 million for a significant breach.
The ICO said the company behind Currys PC World and Carphone Warehouse failed to take basic steps to secure the system which allowed unauthorised access to customers’ payment card details used in transactions and leaving millions of customers vulnerable to financial theft and identity fraud.
Malicious malware was installed in 5,390 tills at the company’s Currys PC World and Dixons Travel stores.The breach allowed hackers unauthorised access to the details of 5.6 million payment cards used over a nine-month period between July 2017 and April 2018, when the cyber-attack was finally detected.
Hackers were able to access personal information including names, postcodes, email addresses and information relating to failed credit checks.
The company could have been faced with a bigger fine under new General Data Protection Regulation (GDPR) rules, with fines now allowed to be up to £17 million for a significant breach, although the rules only came into effect after the breach started.
Careless security
The ICO criticised the company for its careless security arrangements and failure to protect the data of its customers, which breached data protection laws.
They failed to update software to get rid of dangerous bugs and did not carry out proper security testing.
Steve Eckersley, ICO’s director of investigations, said: “Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.
“Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud.
“We recognise that cyber-attacks are becoming more frequent, but organisations have responsibilities under the law to take serious security steps to protect systems, and most importantly, people’s personal data.”
Previous fine
The company had previously been issued a fine of £400,000 by the ICO in January 2018 over a separate cyber-attack in 2016.
This incident also preceded the implementation of the GDPR in May 2018 and so was also outside the current regulations which have the powers to impose heftier fines.
In a statement, Dixons Carphone chief executive Alex Baldock said, “We are very sorry for any inconvenience this historic incident caused to our customers.
“When we found the unauthorised access to the data, we promptly launched an investigation, added extra security measures and contained the incident.
“We duly notified regulators and the police and communicated with all our customers.
“We have no confirmed evidence of any customers suffering fraud or financial loss as a result.
“We have upgraded our detection and response capabilities and, as the ICO acknowledges, we have made significant investment and security systems and processes.”