Dixons Carphone has been handed a fine of £500,000 as a result of a cyber-strike on the company’s shops which impacted upon at least 14 million individuals.
The incident was first uncovered in the summer of 2018, with a subsequent investigation carried out by the UK data regulator, the Information Commissioner’s Office (ICO) finding that malicious code had been implanted into 5,390 checkouts in branches belonging to Dixons Carphone.
The bugged software carried out its work in stealth for over nine months between July 2017 and April 2018, in which time huge swathes of consumer data were harvested, leaving innocent customers open to identity fraud, financial theft and other forms of cyber-crime.
The ICO’s director of investigations, Steve Eckersley, described how “systemic failures” existed in how the company under attack took care of its customers’ confidential information.
“Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud,” Mr Eckersley said.
The perpetrators of the attack stole payment card details belonging to around 5.6 million individuals, besides personal information such as residential addresses, full names, email addresses, and data relating to failed credit checks. Around 14 million victims emerged from the incident, which has now led to the ICO issuing a £500,000 penalty – the maximum possible fine under the Data Protection Act 1998.
Had the attack taken place in the era of the General Data Protection Regulation (GDPR), the fines would surely have been considerably bigger. Presently, the ICO can leverage the GDPR to hit companies with a fine of 4% of annual global turnover, or €20 million, whichever sum is greater.
The ICO underlined how Dixons Carphone had poor security measures in place, and that data had not been properly protected as a result, in contravention of the Data Protection Act 1998. Carphone Warehouse was hit by a levy of £400,000 last year for misdemeanours of a similar nature.
Last summer, British Airways was hit with a fine of £183 million, while Marriott International is currently digesting an issued penalty of around £100 million.
“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR,” Mr Eckersley added.
Group chief executive of Dixons Carphone, Alex Baldock, said how the firm does not fully accept the ICO’s findings, underlining how an appeal may yet be made. Mr Baldock also emphasised how there is “no confirmed evidence of any customers suffering fraud or financial loss as a result [of the data breach].”
“We are very sorry for any inconvenience this historic incident caused to our customers. When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident. We duly notified regulators and the police and communicated with all our customers,” Mr Baldock added.
The post #Privacy: Dixons Carphone hit with £500,000 data breach fine appeared first on PrivSec Report.