In the last week or so, Dixons Carphone has been given the biggest possible fine after the tills in its stores were compromised by a cyber-attack that is believed to have impacted on over 14 million people.
This major breach revealed last Summer follows in the footsteps of significant data breaches by British Airways & Marriott Hotels. Following an investigation by the ICO it was discovered that the attacker had installed malicious software onto around 5,390 tills in branches of Currys PC World and Dixons Travel chains.
It was found that this software remained undetected for nearly 9 months between July 2017 and April 2018, in this time it gathered a significant amount of data which left customers open to both financial theft and identity fraud.
Steve Eckersley from the ICO who led the investigation into the breach, stated that the ICO had uncovered “systemic failures” in the way that Dixons Carphone protected customer data across its operations. Also adding that “Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud”.
During the period of the breach, the attacker had managed to accumulate the payment card details of over 5.6 million people in addition to other sensitive data such as full names and postcodes of over 14 million people, the data watchdog added in a statement, where they also revealed that Currys Carphone had been fined £500,000.
The ICO went on to state that Dixon Carphone’s poor security arrangements and attempts taken to keep customer data secured had been a major breach of the Data Protection Act 1998. This follows the fine that the ICO imposed on the Carphone Warehouse arm of the group for similar offences.
The fine given this time to Dixons Carphone was the maximum allowed under the older legislation that helped to protect consumers data. The powers of the ICO were further enhanced with the GDPR legislation introduced last year to replace the Data Protection Act 1998. Under the new legislation, companies can be fined up to 4% of their annual global turnover, as was the case for British Airways and Marriott Hotels.
Eckersley further added “The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”
Responding to the fine, the group chief executive of Dixons Carphone, Alex Baldock, stated that the company didn’t agree with some of the ICO’s findings and was looking to launch an appeal. Furthermore, he stated that the company had invested a significant sum into improving its information security systems and processes, going on to state that there was no conclusive evidence that any customers had lost out as a result of this breach.
“We are very sorry for any inconvenience this historic incident caused to our customers,” said Baldock. “When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident. We duly notified regulators and the police and communicated with all our customers.”
If you are looking to ensure that your business doesn’t fall foul of the GDPR legislation, there a number of services that we offer that can help keep your business secure, up to date and up to scratch such as: getting CyberSecurity certified, disaster recovery, tiered security support packages and much more. For more information about all the security options available please call 020 3004 4600 or fill in our online contact form.
If you want to receive articles like this straight into your inbox then sign up to our mailing list.