Currys PC World parent firm hit with £500k fine over historic data breach

Hackers said to have stolen data belonging to 14 million customers over a nine-month period

The parent company of Currys PC World has been fined £500,000 after its point of sale system was breached by hackers, thought to have affected around 14 million customers.

Between July 2017 and April 2018, hackers were able to install malware onto 5,390 computer systems and tills located at Currys PC World and Dixon Travel outlets, both owned by DSG Retail Limited, according to an investigation by the Information Commissioner's Office.

Advertisement - Article continues below

It's believed 5.6 million payment card records used in transactions were accessed as a result, as well as the personal information of 14 million people, including full names, postcodes, email addresses and information related to failed credit checks.

Given that the incident occured prior to the introduction of the General Data Protection Regulation in May 2018, the case fell under the Data Protection Act 1998, which stipulated a maximum fine of £500,000. Under new laws, the retailer would have been subject to potential fines of up to 4% of annual turnover, or £17 million.

The ICO said that DSG Retail, which also owns the Carphone Warehouse brand, was in breach of the 1998 act as it had failed to maintain adequate security measures to protect its data. This included poor patch management, a lack of a local firewall, lack of network segregation and a lack of routine penetration testing.

Carphone Warehouse itself was also fined in January 2018 for similar vulnerabilities, to the tune of £400,000.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data," said Steve Eckersley, director of investigations for the ICO. "It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.

"The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR."

Related Resource

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

The authority added that the theft of such personal data would likely significantly affect individuals' privacy, and therefore met the criteria for the toughest possible sanction under law. It added that customers would likely be vulnerable to financial theft and fraud as a result.

As of March 2019, 3,300 customers had issued complaints to DSG Retail in relation to the breach.

Featured Resources

Successful digital transformations are future ready - now

Research findings identify key ingredients to complete your transformation journey

Download now

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

The future of database administrators in the era of the autonomous database

Autonomous databases are here. So who needs database administrators anymore?

Download now

The IT expert’s guide to AI and content management

Your guide to the biggest opportunities for IT teams when it comes to AI and content management

Download now
Advertisement

Recommended

Visit/policy-legislation/data-protection/355250/health-sites-sharing-users-medical-data-with-major-tech
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
Visit/policy-legislation/data-protection/355184/supreme-court-finds-morrisons-was-not-liable-for-2014
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020
Visit/security/privacy/355048/government-may-trace-covid-19-patients-using-mobile-phone-data
privacy

UK government may trace COVID-19 patients using mobile phone data

20 Mar 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354842/irish-data-regulator-racks-up
General Data Protection Regulation (GDPR)

Irish data regulator racks up GDPR cases against Big Tech

24 Feb 2020

Most Popular

Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/software/video-conferencing/355257/taiwan-first-country-to-ban-zoom-amid-security-concerns
video conferencing

Taiwan becomes first country to ban Zoom amid security concerns

8 Apr 2020
Visit/security/cyber-security/355271/microsoft-gobbles-up-corpcom-domain-to-keep-it-from-hackers
cyber security

Microsoft gobbles up corp.com domain to keep it from hackers

8 Apr 2020