Currys-PC World fined £500,000 over cyber attack that compromised 14 million people's personal information
Currys owner DSG Retail fined the maximum under the old data protection regime - would've been much more under GDPR, warns ICO
DSG Retail, the electrical retailer behind Currys, PC World and Dixons, has been fined £500,000 by the ICO over a pre-GDPR cyber attack that compromised 5,390 cash tills.
The attack commenced in July 2017 and was only discovered in April 2018. In total, details of 5.6 million payment cards were accessed by the attackers and the personal information of 14 million people, including full names, postcodes, email addresses and failed credit checks, were compromised.
Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data
The compromised data has left the customers involved vulnerable to identity fraud and even outright financial theft.
The Information Commissioner's Office (ICO) blasted DSG Retail for "having poor security arrangements and failing to take adequate steps to protect personal data".
It criticised the company for a range of IT and security failings, including "inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing".
The contraventions in this case were so serious that we imposed the maximum penalty... but the fine would inevitably have been much higher under GDPR
The ICO therefore levied the maximum fine it is legally able to do so under the old Data Protection Act, which could be reduced by 20 per cent for prompt payment.
Steve Eckersley, the ICO's director of investigations, was forthright in his condemnation of DSG Retail's lackadaisical IT security.
"Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen," said Eckersley.
He continued: "The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under GDPR."