ICO fines Currys PC World £500k over data breach

Written by Hannah McGrath
10/01/2020

The Information Commissioner’s Office (ICO) has imposed a £500,000 fine on DSG Retail, after till systems at Currys PC World and Dixons Travel were hacked, leaving the data of 14 million customers exposed to attack.

A hacker installed malware affecting the point of sale computer systems of 5,390 tills stores in an attack lasting from July 2017 to April 2018.

The ICO found that the company’s failure to secure the system meant the malware was able to access 5.6 million payment card details used in transactions and the personal information of approximately 14 million people during the nine months period before it was discovered.

The breach allowed unauthorised access to full names, postcodes, emails addresses and information on failed credit checks from internal servers.

The ICO received 158 complaints between June 2018 and November 2018 from DSG’s customers. As of March 2019, the company reported that nearly 3,300 customers had contacted them directly in relation to this data breach.

The ICO said that DSG breached the Data Protection Act 1998 by having poor security arrangements and failing to take adequate steps to protect personal data. This included vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing.

In January 2018, the ICO fined Carphone Warehouse, which is part of the same company group, £400,000 for similar security vulnerabilities.

Steve Eckersley, the ICO’s director of investigations, said: “Our investigation found systemic failures in the way DSG Retail safeguarded personal data – it is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.

“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”