On 9 January 2020, the UK’s Information Commissioner’s Office (“ICO”) announced that it had fined DSG Retail Limited (“DSG”) a UK-based IT retailer trading under brands including Curry’s PC World and Dixons Travel, £500,000 in connection with a cyber-attack which affected at least 14 million people.
The ICO’s investigation revealed that an attacker had installed malware on 5,390 point of sale terminals (notably the devices from which in-store payments are taken from the customer) across DSG’s Currys PC World and Dixons Travel stores. The malware gathered customer personal data, including full names, postcodes, email addresses and failed credit checks from internal servers, for nine months between July 2017 and April 2018 before it was discovered. It was also discovered that 5.6 million payment card details used in transactions were also accessed during this time.
The ICO noted that there were “systemic failures” in DSG’s processes with regards to safeguarding personal data and that these failures related to “basic, commonplace security measures showing a complete disregard for the customers whose personal information was stolen”. Specifically, the ICO outlined that DSG had inadequate software patching, no local firewall, plus a lack of network segregation and routine security testing. In failing to take adequate steps to protect customer personal data, the ICO determined that DSG has breached the previous Data Protection Act 1998 (“DPA”).
As the timing of the cyber-attack predated the General Data Protection Regulation (“GDPR”) coming into force on 25 May 2018, the fine was issued under the DPA. The ICO subsequently imposed the maximum fine under the DPA of £500,000. The ICO concluded that, due to the types of personal data concerned, the privacy of those involved would be significantly affected and those individuals would be exposed to the risk of financial theft and identity fraud.
DSG has 28 days from the date of the monetary penalty notice (7 January 2020) to appeal the fine.