RISK

NEWS

Retailer fined for data security failure

16 Jan 2020

The Information Commissioner’s Office (ICO) has fined DSG Retail Limited (DSG) £500,000 after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people.

An ICO investigation found that an attacker installed malware on 5,390 tills at DSG’s Currys PC World and Dixons Travel stores between July 2017 and April 2018, collecting personal data during the nine-month period before the attack was detected.

The company’s failure to secure the system allowed unauthorised access to 5.6 million payment card details used in transactions and the personal information of approximately 14 million people, including full names, postcodes, email addresses and failed credit checks from internal servers.

DSG breached the Data Protection Act 1998 by having poor security arrangements and failing to take adequate steps to protect personal data. This included vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing.

In January 2018, the ICO fined Carphone Warehouse, which is part of the same company group, £400,000 for similar security vulnerabilities.

Steve Eckersley, ICO’s Director of Investigations, said:

“Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.

“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”

The ICO considered that the personal data involved would significantly affect individuals’ privacy, leaving affected customers vulnerable to financial theft and identity fraud. The ICO received 158 complaints between June 2018 and November 2018 from DSG’s customers. As of March 2019, the company reported that nearly 3,300 customers had contacted them directly in relation to this data breach.

Eckersley said:

“Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud.

“We recognise that cyber-attacks are becoming more frequent, but organisations have responsibilities under the law to take serious security steps to protect systems, and most importantly, people’s personal data.”

Full details of the investigation can be found in the Monetary Penalty Notice.

You may also be interested in

RELATED CONTENT

RELATED COURSES

Risk Assessment and Method Statements (RAMS)
Risk Assessment and Method Statements (RAMS)

The Risk Assessment and Method Statement (RAMS) course examines the HSE’s recognised five-step approach to risk assessment.

IOSH Managing Safely
IOSH Managing Safely

The world’s best-known health and safety certificate, designed for managers and supervisors in any sector or organisation.

IOSH Safety for Executives and Directors
IOSH Safety for Executives and Directors

IOSH Safety for Executives and Directors is designed for those who have operational or strategic accountability for a company.

Introduction to health and safety
Introduction to health and safety

Introduction to health and safety gives learners a basic introduction to managing safety in their workplace.

Data breaches: your best chance of survival
Data breaches: your best chance of survival

Data breaches: your best chance of survival

Data Sharing Code of Practice laid before Parliament
Data Sharing Code of Practice laid before Parliament

The government has laid a code of practice on data sharing before Parliament, which aims to assist organisations in legally sharing data.

Firms warned to be responsible when transferring client data
Firms warned to be responsible when transferring client data

The current economic climate is changing the way many firms operate, causing some to leave the market or merge with other firms. When this happens, th...

TikTok fined £12.7 million for misusing children’s data
TikTok fined £12.7 million for misusing children’s data

The Information Commissioner’s Office (ICO) has issued a £12,700,000 fine to TikTok Information Technologies UK Limited and TikTok Inc (TikTok) for a ...