ICO fines Dixons Carphone £500,000 for data breach
The ICO has fined DSG Retail Limited £500,000 after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people. An ICO investigation found that an attacker installed malware on 5,390 tills at Currys, PC World and Dixons Travel stores between July 2017 and April 2018, collecting personal data during the nine month period before the attack was detected. The company’s failure to secure the system allowed unauthorised access to 5.6 million payment card details used in transactions and the personal information of approximately 14 million people, including full names, postcodes, email addresses and failed credit checks from internal servers. DSG was found to have poor security arrangements and failed to take adequate steps to protect personal data. This included vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing. The ICO fined Carphone Warehouse £400,00 in January 2018 for similar security vulnerabilities. A copy of the penalty notice can be found here.