Currys PC World parent firm hit with £500k fine over historic data breach

Hackers said to have stolen data belonging to 14 million customers over a nine-month period

The parent company of Currys PC World has been fined £500,000 after its point of sale system was breached by hackers, thought to have affected around 14 million customers.

Between July 2017 and April 2018, hackers were able to install malware onto 5,390 computer systems and tills located at Currys PC World and Dixon Travel outlets, both owned by DSG Retail Limited, according to an investigation by the Information Commissioner's Office.

Advertisement - Article continues below

It's believed 5.6 million payment card records used in transactions were accessed as a result, as well as the personal information of 14 million people, including full names, postcodes, email addresses and information related to failed credit checks.

Given that the incident occured prior to the introduction of the General Data Protection Regulation in May 2018, the case fell under the Data Protection Act 1998, which stipulated a maximum fine of £500,000. Under new laws, the retailer would have been subject to potential fines of up to 4% of annual turnover, or £17 million.

The ICO said that DSG Retail, which also owns the Carphone Warehouse brand, was in breach of the 1998 act as it had failed to maintain adequate security measures to protect its data. This included poor patch management, a lack of a local firewall, lack of network segregation and a lack of routine penetration testing.

Carphone Warehouse itself was also fined in January 2018 for similar vulnerabilities, to the tune of £400,000.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data," said Steve Eckersley, director of investigations for the ICO. "It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.

"The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR."

Related Resource

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

The authority added that the theft of such personal data would likely significantly affect individuals' privacy, and therefore met the criteria for the toughest possible sanction under law. It added that customers would likely be vulnerable to financial theft and fraud as a result.

As of March 2019, 3,300 customers had issued complaints to DSG Retail in relation to the breach.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement

Recommended

Visit/policy-legislation/general-data-protection-regulation-gdpr/355337/ico-will-reduce-gdpr-fines-due-to
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
Visit/security/privacy/355304/nhs-working-with-apple-google-coronavirus-tracking-app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Visit/policy-legislation/data-protection/355250/health-sites-sharing-users-medical-data-with-major-tech
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
Visit/policy-legislation/data-protection/355184/supreme-court-finds-morrisons-was-not-liable-for-2014
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

Most Popular

Visit/business/business-operations/356395/nvidia-overtakes-intel-as-most-valuable-us-chipmaker
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020