Dixons Carphone Hit with £500,000 Penalty for Pre-GDPR Massive Data Breach

A cyber breach that impacted approximately 14 million customers of Dixons Carphone in the UK has resulted in the highest possibly fine being applied to the retailer.

It was discovered that the tills in retails outlets has been exposed and that lead to an investigation by the Information Commissioner’s Office (ICO). According to the subsequent investigation cybercriminals downloaded a malware on 5,390 POS systems at DSG’s Currys PC World and Dixons Carphone stores at some point between July 2017 and April 2018.  Overall the hackers illegally obtained 5.6 million payment card details and personal information of around 14 million people,including full names, postcodes, email addresses, and failed credit checks from internal servers.

ICO released a statement in relation to the breach that read: “DSG breached the Data Protection Act 1998 by having poor security arrangements and failing to take adequate steps to protect personal data. This included vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing”.

Steve Eckersley, the ICO’s director of investigations, said the ICO had found “systemic failures” in the way Dixons Carphone looked after its customer data. He said: “Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen. The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”

Alex Baldock, Dixons Carphone chief executive, said: “We are very sorry for any inconvenience this historic incident caused to our customers. When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident. We duly notified regulators and the police and communicated with all our customers. We have no confirmed evidence of any customers suffering fraud or financial loss as a result. We have upgraded our detection and response capabilities and, as the ICO acknowledges, we have made significant investment in our information security systems and processes. We are disappointed in some of the ICO’s key findings which we have previously challenged and continue to dispute. We’re studying their conclusions in detail and considering our grounds for appeal.”

Dixons Carphone could count themselves fortunate that the breach occurred prior to the May 25 2018 introduction of the European Union’s General Data Protection Regulation (GDPR) as the fine could have been much greater. Under GDPR the highest possible fine is €20m or 4% of annual revenue for the previous financial year. £500,000 represents the highest possible fine under the previous regime in the UK.