Dixons Carphone hit with £500,000 fine after data breach affecting 14 million people

Investigation found malware installed on over 5,000 PoS terminals.

Why only one in three organizations are GDPR compliant -- and the risks they're facing as a result ZDNet's Danny Palmer tells Karen Roby that over a year after coming into force, these three things are still causing trouble for organizations. Read more: https://zd.net/2nxbLDO

A UK retailer has been issued with a £500,000 fine by the Information Commissioner's Office (ICO) after a cyberattack resulted in hackers gaining access to personal information of 14 million people.

An ICO investigation found that the campaign was active between July 2017 and April 2018 – and saw malware installed on 5,390 tills at Currys PC World and Dixons Travel Stores, owned by DSG Retail Ltd.

That allowed attackers to collect personal data of customers over a nine-month period, resulting in 5.6 million people having credit card data stolen. A total of 14 million people had personal information including full names, postcodes, email addresses, and failed credit checks, accessed by cyber criminals.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)   

DSG Limited has been found to have breached the 1998 Data Protection Act by having "having poor security arrangements" and" failing to take adequate steps to protect personal data" the ICO said.

Oversights detailed following the investigation included inadequate software patching, absence of firewalls, as well as a lack of network segregation and routine security testing.

"Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen," said Steve Eckersley, director of investigations at the ICO.

The incident occurred before the General Data Protection Regulation (GDPR) came into force in May 2018, so the fine had to be in line with the legislation then in force. But the ICO made it clear that the fine would have been much higher if the hack had happened under GDPR.

"The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR," it said.

The ICO said the personal data involved in the breach would "significantly affect individuals' privacy" and leave customers open to identity theft and fraud.

"Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud," said Eckersley.

However, in a statement issued to ZDNet, Dixons Carphone CEO Alex Baldock said: "We have no confirmed evidence of any customers suffering fraud or financial loss as a result."

"We are disappointed in some of the ICO's key findings, which we have previously challenged and continue to dispute. We're studying their conclusions in detail and considering our grounds for appeal," he added.

SEE: 30 years of ransomware: How one bizarre attack laid the foundations for the malware taking over the world

The company says it has since upgraded its detection and response capabilities and made "significant" investment in information security.

In January 2018, Carphone Warehouse – part of the same company group as Dixons Carphone – was fined for similar security vulnerabilities that led to a data breach in 2015.

MORE ON CYBERSECURITY