The Information Commissioner’s Office has suffered a significant defeat in the UK courts after being forced to slash its fine against DSG Retail – now rebranded as Currys – for what were originally branded “systemic” security failings.
The tribunal has cut the ICO’s £500,000 fine in half, and rejected the majority of the ICO’s findings on the extent of technical vulnerabilities that contributed to a major hack. Even so, the company is planning to appeal even this reduced amount.
In its original ruling, made in January 2020, the ICO insisted its investigation had found that an attacker had installed malware on 5,390 tills at Currys PC World and Dixons Travel stores back in 2017, collecting personal data between July of that year right up when the hack was finally detected in April 2018.
The ICO found that the company’s failure to secure the system allowed unauthorised access to 5.6 million payment card details used in transactions and the personal information of about 14 million people, including full names, postcodes, email addresses and failed credit checks from internal servers.
At the time the fine was issued, Dixons Carphone chief executive Alex Baldock said the company was “disappointed in some of the ICO’s key findings which we have previously challenged and continue to dispute”. He added: “We’re studying their conclusions in detail and considering our grounds for appeal.”
In the first-tier tribunal ruling, published this week, the judge criticised the regulator’s “unusual” decision to significantly narrow its case.
A spokesperson for Currys Plc said: “We decided to challenge the ICO’s monetary penalty notice because we disagreed with a number of the findings within it. During the course of the tribunal proceedings, the ICO withdrew some of its findings.
“We are pleased to note that the tribunal has now overturned many of the ICO’s remaining findings, and held that the ICO’s monetary penalty notice was wrong in law. We are pleased that the tribunal found that our IT security was generally of a high standard, and also with the significant reduction in the fine.
“However, we believe the remaining aspects warrant review, and we will be applying for permission to appeal the tribunal’s decision.”
Currys unveils first UK loyalty club in brand relaunch
Dixons Carphone goes back to 1850 for Currys rebrand
Black Friday surge knocks out Currys PC World website
Currys PC World battered over contact centre meltdown
Dixons Carphone appeals ICO fine for ‘systemic’ failings
Dixons slams £500k fine but it could have been £400m
Carphone Warehouse rocked by £400,000 ICO data fine