Dixons Carphone slapped with maximum fine for PoS cyber attack

Dixons Carphone has been fined £500,000 for the cyber attack on its systems that impacted at least 14 million customers in 2017 and 2018.

The Information Commissioner’s Office (ICO) announced the charge yesterday (9 January) after its investigation found that an attacker installed malware on 5,390 tills at Currys PC World and Dixons Travel stores between July 2017 and April 2018. The hacker collected personal data over the nine-month period before the attack was detected.

According to the ICO, the company’s failure to secure the system allowed unauthorised access to 5.6 million payment card details used in transactions and the personal information of approximately 14 million people, including full names, postcodes, email addresses and failed credit checks from internal servers.

It was concluded that the electricals retailer had breached the Data Protection Act 1998 “by having poor security arrangements and failing to take adequate steps to protect personal data”.

Vulnerabilities included inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing.

In January 2018, the Carphone Warehouse part of the group was handed a £400,000 fine by the ICO for similar security vulnerabilities. On that occasion, hackers gained access to the personal data of more than three million customers and 1,000 employees in 2015.

Commenting on the more recent fine for the group, relating to the incident that first came to light in June 2018, Steve Eckersley, ICO’s director of investigations, said there were “systemic failures” in the way the retailer safeguarded personal data.

“It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen,” he commented.

“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”

The investigation found that personal data involved would significantly affect individuals’ privacy, which would leave affected customers vulnerable to financial theft and identity fraud. The ICO said it received 158 complaints between June 2018 and November 2018 from the retailer’s customers.

“We recognise that cyber attacks are becoming more frequent, but organisations have responsibilities under the law to take serious security steps to protect systems, and most importantly, people’s personal data,” Eckersley added.

Dixons Carphone CEO Alex Baldock has publicly apologised to customers on several occasions for the data breach, which first occurred before his arrival from Shop Direct in 2018.

In the retailer’s full-year results for 2018-19, announced last summer, it had recorded costs of £14 million associated with the data breach incident, which contributed to a sharp decline in profit at the group. An additional £6 million in costs related to the incident will be recorded in the current financial year.

Baldock apologised again yesterday, saying: “When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident.

“We duly notified regulators and the police and communicated with all our customers. We have no confirmed evidence of any customers suffering fraud or financial loss as a result.”

He added: “We have upgraded our detection and response capabilities and, as the ICO acknowledges, we have made significant investment in our information security systems and processes.

“We are disappointed in some of the ICO’s key findings which we have previously challenged and continue to dispute. We’re studying their conclusions in detail and considering our grounds for appeal.”

What’s Hot on Essential Retail?