ICO Fines Dixons Carphone £500,000 for Data Breach

Dixons Carphone has been hit with the maximum possible fine after the tills in its shops were compromised by a cyber-attack that affected at least 14 million people.

The retailer discovered the massive data breach last summer and a subsequent investigation by the Information Commissioner’s Office (ICO) found the attacker had installed malicious software on 5,390 tills in branches of its Currys PC World and Dixons Travel chains.
The rogue software went undetected over a nine month period between July 2017 and April 2018 and collected a huge amount of data, leaving customers vulnerable to both financial theft and identity fraud.

Steve Eckersley, the ICO’s director of investigations, said the ICO had found “systemic failures” in the way Dixons Carphone looked after its customer data. “Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud,” he said.
The attacker harvested the payment card details of 5.6 million people as well as the personal information – including full names, postcodes, email addresses and details of failed credit checks – of approximately 14 million, the data watchdog said in a statement announcing the £500,000 fine.

The ICO said Dixon Carphone’s poor security arrangements and the inadequate steps taken to protect data had breached the Data Protection Act 1998. Last year the ICO fined Carphone Warehouse, part of the same group, £400,000 for similar security vulnerabilities.

The fine is the maximum penalty under the former legislation protecting consumers’ data. The powers of the ICO were bolstered last year when that law was replaced by the General Data Protection Regulation (GDPR). It can now fine a company up to 4% of their annual global turnover, and in the summer, British Airways was fined £183m, while the Marriott hotel group received a near-£100m censure.

Eckersley said:

The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.

Alex Baldock, the group chief executive of Dixons Carphone, said the company disputed some of the ICO’s findings and was considering its grounds for appeal. The company had, he said, made significant investment in its information security systems and processes. There was “no confirmed evidence of any customers suffering fraud or financial loss as a result,” he added.

We are very sorry for any inconvenience this historic incident caused to our customers,” … When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident. We duly notified regulators and the police and communicated with all our customers.

Source: The Guardian

If you liked this post, check out our Premium Privacy Insights for informative articles on wide-ranging global data privacy issues.

Contact the author
Peter Borner
Executive Chairman and Chief Trust Officer

As Co-founder, Executive Chairman and Chief Trust Officer of The Data Privacy Group, Peter Borner leverages over 30 years of expertise to drive revenue for organisations by prioritising trust. Peter shapes tailored strategies to help businesses reap the rewards of increased customer loyalty, improved reputation, and, ultimately, higher revenue. His approach provides clients with ongoing peace of mind, solidifying their foundation in the realm of digital trust.

Specialises in: Privacy & Data Governance

Peter Borner
Executive Chairman and Chief Trust Officer

As Co-founder, Executive Chairman and Chief Trust Officer of The Data Privacy Group, Peter Borner leverages over 30 years of expertise to drive revenue for organisations by prioritising trust. Peter shapes tailored strategies to help businesses reap the rewards of increased customer loyalty, improved reputation, and, ultimately, higher revenue. His approach provides clients with ongoing peace of mind, solidifying their foundation in the realm of digital trust.

Specialises in: Privacy & Data Governance

Contact Our Team Today
Your confidential, no obligation discussion awaits.