ICO appeal 'victory' fuels fresh personal data warning

The Information Commissioner’s Office has reiterated its warning that it will take “robust action” against companies that fail to protect personal data they hold on customers, even if hackers cannot actually identify individuals from the information they steal.

The move follows the latest ruling – but not the final one – in a long-running legal case against DSG (now Currys) that could have wider repercussions in future data breaches, especially for ransomware attacks.

The DSG attack dates back to 2017, when hackers installed malware on 5,390 tills across the retailer’s stores. The malware went unnoticed for nine months, purloining up 5.6 million payment card details and the personal information belonging to around 14 million people.

Crucially, the card details involved were the long 16-digit card number and expiry dates, but not the names on the cards.

The ICO originally fined DSG £500,000 in 2020, the maximum penalty allowed under the pre-GDPR Data Protection Act 1998, but it then launched an appeal.

The penalty notice was upheld by the Court of Appeal’s first-tier tribunal but later reversed by the upper tribunal, which sided with DSG Retail.

However, the legal arguments have raged over whether the card details the attackers stole could be used to identify cardholders.

DSG has long argued that this specific aspect of the case does not amount to a personal data breach since the hackers could not identify people from the payment card details alone.

The Upper-Tier Tribunal sided with DSG, ruling that as hackers could not use the card data to identify people, then that data should not be considered personal data within the context of a DPA 1998 offence.

However, late last week Lord Justice Warby concluded that this argument was incorrect, agreeing with the ICO, and sending the case back to the First-Tier Tribunal yet again.

Warby added that the same approach would effectively free data controllers of the burden of protecting data in the event of a ransomware attack, for example, provided the attacker could not use it to identify people.

He stated: “Technology has vastly increased in sophistication. The ability to locate, assemble, and combine disparate items to elicit information about individuals is greatly enhanced. It will often prove impossible to rule out the risk that unauthorised access to part of a data set, which does not itself identify any individual, could lead to processing by some unknown third party with (legitimate) access to the means of identification.”

DSG could appeal the tribunal’s decision yet again, sending it back to the Upper Tribunal. If disputes remain, it could become a matter for the UK Supreme Court.

ICO general counsel Binnie Goh said: “[This] judgment is a significant victory, bringing much-needed clarity for people affected by cyber attacks as well as industry.

“We welcome the Court of Appeal’s confirmation that organisations must protect all personal data they process, regardless of how it might be used or exploited by hackers. This recognises that even if hackers can’t identify people individually from stolen datasets, cyberattacks can and do still cause real harm.

“With the rising threat of cybercrime, this decision strengthens our ability to take robust action in the future and sends a clear message to all organisations: you have a protective duty to safeguard the personal data you hold.”