Dixons Carphone could find itself in a whole lot of bother following the data breach which exposed 6 million customers’ payment card details after the Information Commissioner’s Office said that it was investigating whether the incident should be treated under GDPR, a move which could trigger a fine of hundreds of millions of pounds.
The company insists the breach started in July last year, but that it only found out about it in the past fortnight. If the ICO probe finds it continued past the May 25 GDPR D-Day, Dixons Carphone could be hit with a fine of up to 4% of global turnover, which at £10.58bn for the past financial year, could be as high as £400m.
While Information Commissioner Elizabeth Denham has stressed that fines will be the last resort, Dixons Carphone has previous. Earlier this year, the ICO slapped sister company Carphone Warehouse with a £400,000 – one of the highest ever issued – for what the regulator branded “multiple inadequacies” in its data security.
If it is found that similar failings led to the new breach, and that it fell within GDPR, Dixons Carphone could be in for a rough ride.
An ICO spokesperson said: “It is early in the investigation. We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts.”
Whatever the outcome, the firm could also face significant legal action from customers. According to data protection lawyer Sean Humber from law firm Leigh Day, those affected do not have to have just suffered financial losses to make a claim.
He said: “This is a huge data breach made all the more serious because customers’ financial information has been hacked.
“Those affected are likely to have claims for compensation not only for any financial losses that they may have suffered but also for the anxiety and distress caused by the breach.
“The apparent deficiencies in Dixons Carphone’s security measures are all the more disappointing given that the company was a victim of a cyber-attack in 2015 that resulted in the personal information of over 3 million customers being hacked. Sadly, it now seems clear that Dixons Carphone failed to learn the lesson from this previous incident.”
Dixons Carphone pummelled as hackers strike again
Carphone Warehouse rocked by £400,000 ICO data fine
ICO ‘enquires’ about Carphone hack
Scammers access Virgin Media data for phishing attack
TalkTalk fined £100,000 over India call centre failings
25 million UK adults in the dark over theft of their data
Stephen Fry on alert as toffs’ data is stolen from club
Uber faces long arm of the law over 64m data breach
Privacy chief Denham hits out at GDPR scaremongering