Dixons Carphone has been hit with the maximum possible fine after the tills in its shops were compromised by a cyber-attack that affected at least 14 million people.
The retailer discovered the massive data breach last summer and a subsequent investigation by the Information Commissioner’s Office (ICO) found the attacker had installed malicious software on 5,390 tills in branches of its Currys PC World and Dixons Travel chains.
The rogue software went undetected over a nine month period between July 2017 and April 2018 and collected a huge amount of data, leaving customers vulnerable to both financial theft and identity fraud.
Steve Eckersley, the ICO’s director of investigations, said the ICO had found “systemic failures” in the way Dixons Carphone looked after its customer data. “Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud,” he said.
The attacker harvested the payment card details of 5.6 million people as well as the personal information – including full names, postcodes, email addresses and details of failed credit checks – of approximately 14 million, the data watchdog said in a statement announcing the £500,000 fine.
The ICO said Dixon Carphone’s poor security arrangements and the inadequate steps taken to protect data had breached the Data Protection Act 1998. Last year the ICO fined Carphone Warehouse, part of the same group, £400,000 for similar security vulnerabilities.
The fine is the maximum penalty under the former legislation protecting consumers’ data. The powers of the ICO were bolstered last year when that law was replaced by the General Data Protection Regulation (GDPR). It can now fine a company up to 4% of their annual global turnover, and in the summer, British Airways was fined £183m, while the Marriott hotel group received a near-£100m censure.
Eckersley said: “The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”
Alex Baldock, the group chief executive of Dixons Carphone, said the company disputed some of the ICO’s findings and was considering its grounds for appeal. The company had, he said, made significant investment in its information security systems and processes. There was “no confirmed evidence of any customers suffering fraud or financial loss as a result”, he added.
“We are very sorry for any inconvenience this historic incident caused to our customers,” said Baldock. “When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident. We duly notified regulators and the police and communicated with all our customers.”