Dixons Carphone has been fined half a million pounds after the computer system in its tills suffered a cyberattack, affecting at least 14 million people, in what the Information Commissioners Office (ICO) described as a “careless loss of data”.
According to the ICO, malware was installed on 5,390 tills at Currys PC World and Dixons Travel stores between July 2017 and April 2018.
This allowed attackers unauthorised access to 5.6 million payment card details and the personal information of approximately 14 million people, including full names, postcodes, email addresses and failed credit checks, as the attack went undetected for nine months.
As a result, the ICO has issued the maximum fine under the Data Protection Act 1998, the predecessor of the General Data Protection Regulation (GDPR). Carphone Warehouse was also fined £400,000 in January 2018 for similar security vulnerabilities.
Dixons Carphone ICO fine “a wake-up call for companies”
While this fine may appear small compared with the likes of BA’s eye-watering fine of £183m for its 2018 data breach, Dixons Carphone’s incident took place before GDPR came into force in May 2018, meaning it has escaped a far larger fine. The maximum fine now 4% of annual global turnover or €20m, whichever is higher.
However, the fine indicates that the ICO is willing to impose maximum fines for “systematic failures” that persist in companies’ cybersecurity. For Dixons Carphone, the ICO identified inadequate software patching, absence of a local firewall and lack of network segregation and routine security testing as serious vulnerabilities that left the company open to an attack.
Nina Lazic, Associate Director at international law firm Osborne Clarke said:
“The ICO’s decision should be a wake-up call for those companies that continue to bury their heads in the sand on cyber security risk. In fining Dixons Carphone the maximum amount possible under the law in place before the GDPR, the ICO has made it clear that large, nationwide companies need to ‘lead by example’ when it comes to cyber security. When assessing compliance with the required standards, the ICO will scrutinise closely whether companies have implemented publicly available guidance or any specific advice given to the company by cyber security consultants. The ICO is unlikely to show leniency to those companies that fail to implement the advice given to them.”
“The fine could have been substantially higher under GDPR”
Matt Aldridge, Principal Solutions Architect at IT security company Webroot said that even though the company has dodged a larger fine, the resulting reputational damage could have more long-lasting consequences:
“From a reputation protection standpoint alone, being in the spotlight for data protection transgressions and data breaches is not good for business. On the enforcement side, it is likely that more clear guidance will be needed so that companies can easily ensure they are operating in a fully compliant state before they are breached, rather than attempting to demonstrate this after a breach has occurred.”
This comes after the company posted a 60% fall in profits in the first half of 2019. Aldrige said:
“It is now more important than ever that compliance efforts made by organisations go hand in hand with verifiable security controls and robust processes. MSSPs and compliance specialists can play a key role in helping companies to achieve this, along with other cybersecurity service providers, but in turn those companies must ensure that they have done and recorded their due diligence when selecting such partners.
“Yet again in this case, we see that patch management and proper network segmentation have been neglected, along with regular, robust security testing. DSG may have dodged a bullet here because the fine is not covered by GDPR, due to this breach happening before GDPR came into effect. The fine could have been substantially higher under GDPR.”
Lucy Ingham 2:12 PM