Dixons Carphone has been given a fine worth £500,000 after over 14 million people were affected by a cyberattack on its in-store tills.
The company found the huge data breach last summer and the Information Commissioner’s Office launched an investigation soon after. The ICO concluded that the attacker installed malicious software on over 5,000 tills in its stores which include both Currys PC World and Dixons Travel chains.
The criminal software was undetected for almost 9 months between July 2017 and April 2018. It was able to gather a huge amount of personal data, which left consumers open to financial risk, theft, and identity fraud.
The ICO’s Director of Investigations Steve Eckersley said following the investigation that the ICO had found “systemic failures” in the way Dixons Carphone managed its consumer data. He continued by saying,
“Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud.”
The software was able to harvest the payment card details of 5.6 million people in addition to the personal information of 14 million consumers according to the ICO. This data included names, email addresses and information regarding credit checks.
The ICO said the company’s lack of security protection and the poor steps taken to manage consumer data was in violation of the Data Protection Act 1998. Carphone Warehouse, a company which is part of the same group as Dixon Carphone, was last year fined £400,000 by the ICO for similar security malpractice.
Jamal Ahmed, Director of Kazient Privacy Experts said regarding the breach:
“It is completely unacceptable for businesses of this size to have such a poor focus on data protection. I am pleased to see the maximum fine imposed against them and the loss of business they suffer over the coming months and years will be more painful than the fine.”
He continued with words of encouragement to all organisations, saying:
“I encourage all organisations, especially charities, that collect payment details to review their technical and organisational measures to make sure they are doing everything within reason to protect our data.”
The fine given is the maximum given under the former legislation protecting consumers’ data. The powers of the ICO were further entrenched last year after the introduction of the 2018 General Data Protection Act (GDPR). This means that a company can now be fined up to 4% of their annual global turnover. Last year both British Airways and Marriott hotels were issued large intentions to fine as a result of large data breaches.
Eckersley said: “The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”
Alex Baldock, the group chief executive of Dixons Carphone, said the company disputed some of the ICO’s findings and was considering its grounds for appeal. The company had, he said, made significant investment in its information security systems and processes. There was “no confirmed evidence of any customers suffering fraud or financial loss as a result”, he added.
“We are very sorry for any inconvenience this historic incident caused to our customers,” said Baldock. “When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident. We duly notified regulators and the police and communicated with all our customers.”
Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.