The Dixons Carphone data breach fine has been formally issued by the Information Commissioner’s Office (ICO) for the maximum amount possible under the previous rules.
The cyberattack took place between July 2017 and April 2018, meaning the Data Protection Act 1998 applies as opposed to the GDPR that came into force just a month later. As such, the maximum fine that the retailer could face was £500,000.00, which is what the ICO has issued. Had the attack have continued into the GDPR era, they could have faced fines in the hundreds of millions of pounds mark.
We’ve been representing victims of this data breach for some time now as expert data protection compensation lawyers with a wealth of experience in large consumer actions. As we know a great deal about this breach as it’s one of our live actions, we’re not surprised by the findings and the maximum fine being issued.
ICO issues maximum Dixons Carphone data breach fine
The ICO has aired heavy criticism in the wake of the maximum Dixons Carphone data breach fine that has been issued, which is not surprising given the scale and nature of this data breach,
This fine follows a £400,000.00 penalty issued in January 2018 to Carphone Warehouse (a part of the same group) for similar failures.
In this breach, their POS (‘point of sale’) computer system was compromised in between 2017 and 2018. This resulted in a monumental data breach affecting the personal information for around 14 million customers. The details of 5.6 million payment cards were also compromised, and hackers were able to steal data for a period of 9 months before the security flaw was detected by the company.
The ICO has confirmed that DSG Retail Ltd (the formal company name) had “poor security arrangements” and failed to take adequate steps to protect the data they held. They have also cited “vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing.”
Response to the fine
In response to the Dixons Carphone data breach fine, the company’s Chief Executive has reportedly said that he is “disappointed” with some of the ICO’s findings.
The company is also said to be considering an appeal.
However, the ICO’s comments in the wake of the fine have been strong in terms of their findings. The ICO’s Director of Investigations, Steve Eckersley, said:
“Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.
The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”
A serious breach
In my mind, the Dixons Carphone data breach fine seems appropriate given the nature of the cyberattack and how many people were affected. This was a very serious breach that affected millions of people and stemmed from a sustained period of vulnerability which, based on the ICO’s current findings, could have been preventable.
We often see that breaches have been possible as a result of a failure to patch known vulnerabilities. We saw this with the Equifax data breach that we’re running an action for, and we’re seeing it again now in the latest Travelex incident where hackers are holding the company to ransom.
When security is adequate, up-to-date and fully patched, data can be secure. When it’s not, data can be vulnerable, and hackers will target the easiest prey. This is a fact that all organisations must always have at the forefront of their minds.