Currys PC World parent firm hit with £500k fine over historic data breach

Hackers said to have stolen data belonging to 14 million customers over a nine-month period

The parent company of Currys PC World has been fined £500,000 after its point of sale system was breached by hackers, thought to have affected around 14 million customers.

Between July 2017 and April 2018, hackers were able to install malware onto 5,390 computer systems and tills located at Currys PC World and Dixon Travel outlets, both owned by DSG Retail Limited, according to an investigation by the Information Commissioner's Office.

It's believed 5.6 million payment card records used in transactions were accessed as a result, as well as the personal information of 14 million people, including full names, postcodes, email addresses and information related to failed credit checks.

Given that the incident occured prior to the introduction of the General Data Protection Regulation in May 2018, the case fell under the Data Protection Act 1998, which stipulated a maximum fine of £500,000. Under new laws, the retailer would have been subject to potential fines of up to 4% of annual turnover, or £17 million.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The ICO said that DSG Retail, which also owns the Carphone Warehouse brand, was in breach of the 1998 act as it had failed to maintain adequate security measures to protect its data. This included poor patch management, a lack of a local firewall, lack of network segregation and a lack of routine penetration testing.

Carphone Warehouse itself was also fined in January 2018 for similar vulnerabilities, to the tune of £400,000.

"Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data," said Steve Eckersley, director of investigations for the ICO. "It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.

"The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR."

Related Resource

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

The authority added that the theft of such personal data would likely significantly affect individuals' privacy, and therefore met the criteria for the toughest possible sanction under law. It added that customers would likely be vulnerable to financial theft and fraud as a result.

As of March 2019, 3,300 customers had issued complaints to DSG Retail in relation to the breach.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/data-insights/data-management/354423/eu-us-data-transfer-tools-used-by-facebook-ruled-legal
data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019
Visit/backup/33385/arcserve-udp-9240dr-review-beef-up-your-backups
backup

Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019

Most Popular

Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/operating-systems/microsoft-windows/354526/memes-and-viking-funerals-the-internet-reacts-to-the
Microsoft Windows

Memes and Viking funerals: The internet reacts to the death of Windows 7

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020