Dixons Carphone has been fined £500,000, the maximum possible fine under the pre-GDPR regulations, by the UK’s privacy regulator.
According to findings by the Information Commissioner’s Office (ICO), serious security deficiencies allowed hackers to install malware on 5,390 tills at the company’s Currys PC World and Dixons Travel stores.
Customers’ data was exposed to hackers over a period of nine months. The malware enabled the attackers to gain unauthorised access to the 5.6 million payment card details used in customer transaction, the ICO said.
The regulator’s investigation found that customers’ full names, postcodes, email addresses and failed credit checks were also compromised during the attack, which took place between July 2017 and April 2018.
Along with “poor security arrangements” the report also cited ineffective software patching, the absence of a local firewall, and lack of network segregation and routine security testing as contributing factors that facilitated the data breach.
“Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data,” said ICO director of investigations, Steve Eckersley. “It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.
“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”
- Apprentice of the Month – Ferva Anjum, Dell
- First Glasgow Unveils New Electric Buses for City Commuters
- Amazon Ring Employees Fired For Spying on Customer Video
Eckersley said that the pilfered data posed a significant risk to the affect customers as it could lead to identity fraud and financial theft. Almost 3,300 customers contacted the ICO about the breach by March 2019.
Dixons Carphone said it is considering challenging the ruling as there was no evidence any customers suffered fraud or financial loss.
The company CEO, Alex Baldock, said: “We’re very sorry for any inconvenience this historic incident caused to our customers. When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident.
“We duly notified regulators and the police and communicated with all our customers. We have no confirmed evidence of any customers suffering fraud or financial loss as a result. We have upgraded our detection and response capabilities and, as the ICO acknowledges, we have made significant investment in our information security systems and processes.
“We are disappointed in some of the ICO’s key findings, which we have previously challenged and continue to dispute. We’re studying their conclusions in detail and considering our grounds for appeal.”