ICO slaps Dixons Carphone with hefty fine following cyber attack
The Information Commissioner's Office has hit Dixons Carphone with a £500,000 fine over a hacking that targeted millions of customer accounts.
An attacker installed malware on 5,390 tills at its Currys PC World and Dixons Travel stores between July 2017 and April 2018, collecting personal data during the nine month period before the attack was detected.
A failure to secure the system allowed unauthorised access to 5.6 million payment card details used in transactions and the personal information of approximately 14 million people, including full names, postcodes, email addresses and failed credit checks from internal servers.
The group breached the Data Protection Act 1998 by having poor security arrangements and failing to take adequate steps to protect personal data, the ICO commented. This included vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing.
In January 2018, the ICO fined Carphone Warehouse, which is part of the same company group, £400,000 for similar security vulnerabilities. “It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen,” said Steve Eckersley, ICO’s Director of Investigations.
“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR. Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud.”
Dixons Carphone Chief Executive, Alex Baldock, commented: "We are very sorry for any inconvenience this historic incident caused to our customers. When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident. We duly notified regulators and the police and communicated with all our customers.”
There was no confirmed evidence of any customers suffering fraud or financial loss, he added. He also stated that there has been an upgrade of detection and response capabilities and significant investment in information security systems and processes.
"We are disappointed in some of the ICO's key findings which we have previously challenged and continue to dispute. We're studying their conclusions in detail and considering our grounds for appeal,” Baldock concluded.