Dixons Carphone has condemned the data regulator for issuing it with a £500,000 fine – over “systemic” security failings – and says it is considering an appeal, despite avoiding a penalty of up to £400m by the skin of its teeth by halting the nine-month-long breach just weeks before GDPR came into force.
News of the breach only emerged in June 2018, when Dixons Carphone was forced to tell customers of its Currys PC World and Dixons Travel stores that their data had been compromised “in the past year”.
At the time, the group confessed the incident had involved 5.9 million payment cards and 1.2 million personal data records, although it insisted there was no evidence any of the cards had been used fraudulently following the breach.
However, an Information Commissioner’s Office investigation has laid bare the real story. The probe found that an attacker installed malware on 5,390 tills at Currys PC World and Dixons Travel stores back in 2017, collecting personal data between July of that year right up when the hack was finally detected in April 2018 – weeks before the GDPR D-Day of May 25.
The ICO found that the company’s failure to secure the system allowed unauthorised access to 5.6 million payment card details used in transactions and the personal information of about 14 million people, including full names, postcodes, email addresses and failed credit checks from internal servers.
But the timing of the incident meant that the retailer breached the Data Protection Act 1998 – and not GDPR – so the regulator could only fine the business a maximum of £500,000 instead of up to 4% of its £10.3bn global turnover, which could have been over £400m.
The ICO slated the company for having poor security arrangements and failing to take adequate steps to protect personal data. This included vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing.
In January 2018, Carphone Warehouse, which is part of the same group, was fined £400,000 for similar security vulnerabilities.
ICO director of investigations Steve Eckersley said: “Our investigation found systemic failures in the way the company safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.
“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under GDPR.”
The ICO considered that the personal data involved would significantly affect individuals’ privacy, leaving affected customers vulnerable to financial theft and identity fraud.
The regulator received 158 complaints between June 2018 and November 2018 from Dixon Carphone’s customers. As of March 2019, the company reported that nearly 3,300 customers had been in contact in relation to this data breach.
Eckersley added: “Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud.
“We recognise that cyber-attacks are becoming more frequent, but organisations have responsibilities under the law to take serious security steps to protect systems, and most importantly, people’s personal data.”
In response, Dixons Carphone chief executive Alex Baldock said: “We have upgraded our detection and response capabilities and, as the ICO acknowledges, we have made significant investment in our information security systems and processes. We are disappointed in some of the ICO’s key findings which we have previously challenged and continue to dispute. We’re studying their conclusions in detail and considering our grounds for appeal.”
Any such legal action would pile further pressure on the ICO’s resources. The regulator has already been forced to go cap in hand to the Treasury to meet increased legal and professional services expenditure – currently running £673,000 over budget – which it blamed on “litigation linked to fines”.
Earlier this week, the ICO confirmed it was extending the regulatory process for another three months over planned fines against British Airways and Marriott International, totalling £282m. The move has increased speculation that the fines could be significantly lower than those proposed in the regulator’s notices of intent.
BA and Marriott to escape GDPR mega fines…for now
Dixons Carphone pummelled as hackers strike again
Carphone Warehouse rocked by £400,000 ICO data fine
2019 Review of the Year: Why it’s crunch time for GDPR
ICO issues first GDPR fine, but it’s not BA or Marriott
Marriott sets aside £104m just in case GDPR plea fails
Now Marriott takes a £99m battering for GDPR failings
BA faces record £183m GDPR fine for data meltdown