[BreachExchange] Dixons Carphone fined £500,000 for massive data breach

Mon Jan 13 10:14:01 EST 2020

https://www.theguardian.com/business/2020/jan/09/dixons-carphone-fined-500000-for-massive-data-breach

Dixons Carphone has been hit with the maximum possible fine after the
tills in its shops were compromised by a cyber-attack that affected at
least 14 million people.

The retailer discovered the massive data breach last summer and a
subsequent investigation by the Information Commissioner’s Office
(ICO) found the attacker had installed malicious software on 5,390
tills in branches of its Currys PC World and Dixons Travel chains.

The rogue software went undetected over a nine month period between
July 2017 and April 2018 and collected a huge amount of data, leaving
customers vulnerable to both financial theft and identity fraud.

Steve Eckersley, the ICO’s director of investigations, said the ICO
had found “systemic failures” in the way Dixons Carphone looked after
its customer data. “Such careless loss of data is likely to have
caused distress to many people since the data breach left them exposed
to increased risk of fraud,” he said.

The attacker harvested the payment card details of 5.6 million people
as well as the personal information – including full names, postcodes,
email addresses and details of failed credit checks – of approximately
14 million, the data watchdog said in a statement announcing the
£500,000 fine.

The ICO said Dixon Carphone’s poor security arrangements and the
inadequate steps taken to protect data had breached the Data
Protection Act 1998. Last year the ICO fined Carphone Warehouse, part
of the same group, £400,000 for similar security vulnerabilities.

The fine is the maximum penalty under the former legislation
protecting consumers’ data. The powers of the ICO were bolstered last
year when that law was replaced by the General Data Protection
Regulation (GDPR). It can now fine a company up to 4% of their annual
global turnover, and in the summer, British Airways was fined £183m,
while the Marriott hotel group received a near-£100m censure.

Eckersley said: “The contraventions in this case were so serious that
we imposed the maximum penalty under the previous legislation, but the
fine would inevitably have been much higher under the GDPR.”

Alex Baldock, the group chief executive of Dixons Carphone, said the
company disputed some of the ICO’s findings and was considering its
grounds for appeal. The company had, he said, made significant
investment in its information security systems and processes. There
was “no confirmed evidence of any customers suffering fraud or
financial loss as a result”, he added.

“We are very sorry for any inconvenience this historic incident caused
to our customers,” said Baldock. “When we found the unauthorised
access to data, we promptly launched an investigation, added extra
security measures and contained the incident. We duly notified
regulators and the police and communicated with all our customers.”