The Information Commissioner’s Office is facing yet another legal challenge – and further budget busting expense – following reports that Dixons Carphone is launching an appeal against its recent £500,000 for what were branded “systemic” security failings.
In its ruling, the ICO insisted its investigation had found that an attacker had installed malware on 5,390 tills at Currys PC World and Dixons Travel stores back in 2017, collecting personal data between July of that year right up when the hack was finally detected in April 2018.
The ICO found that the company’s failure to secure the system allowed unauthorised access to 5.6 million payment card details used in transactions and the personal information of about 14 million people, including full names, postcodes, email addresses and failed credit checks from internal servers.
At the time the fine was issued, Dixons Carphone chief executive Alex Baldock said the company was “disappointed in some of the ICO’s key findings which we have previously challenged and continue to dispute”. He added: “We’re studying their conclusions in detail and considering our grounds for appeal.”
The company hardly has a great track record, however. In January 2018, Carphone Warehouse, which is part of the same group, was fined £400,000 after a 2015 cyber-attack of allowed unauthorised access to the personal data of over 3 million customers and 1,000 employees.
The legal action will pile further pressure on the ICO’s resources. Late last year, the regulator was forced to get a £600,000 bail out from the Treasury to meet increased legal and professional services expenditure.
In its monthly accounts, the ICO stated: “With the significant legal costs involved in litigation linked to fines, the Department of Digital, Culture, Media & Sport are looking to partly offset these within year. The ICO are currently in dialogue to agree a longer term model to recover the costs of litigation connected with issuing fines.”
However, there is slightly better news for the ICO in its quest to get companies to cough up for the annual data protection fee. According to its December accounts, its fee collectors managed to beat budget by nearly £300,000 for the month. The ICO is still running £1.3m behind schedule – gathering £33.3m against a budget of £34.7m – but insists it is on course to meet its £46.5m target by the end of its financial year in March.
Dixons slams £500k fine but it could have been £400m
Dixons Carphone pummelled as hackers strike again
Carphone Warehouse rocked by £400,000 ICO data fine
2019 Review of the Year: Why it’s crunch time for GDPR
Millions of firms in firing line in data protection fee blitz
Data protection fee dodgers face fresh ICO clampdown
ICO funding pays off but fears grow over huge legal bills